Skip to content

Instantly share code, notes, and snippets.

@howardjohn

howardjohn/README.md

Last active September 14, 2022 17:06
Show Gist options
  • Save howardjohn/ffcd857ed4aa20e1e59983ca2324bd1b to your computer and use it in GitHub Desktop.
Save howardjohn/ffcd857ed4aa20e1e59983ca2324bd1b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Demo of experimental Gateway API for Mesh

Concrete example:

$ kubectl apply -f demo-install.yaml
$ kubectl apply -f demo.yaml
$ kubectl exec deployment/shell -- curl -s echo/{0..10} | grep Hostname=
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v2-6b54fc5c67-jltt2
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v2-6b54fc5c67-jltt2
Hostname=echo-v2-6b54fc5c67-jltt2
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v1-f9bc8b978-jwvvx
Hostname=echo-v2-6b54fc5c67-jltt2

Example user flow:

DEVELOPER USE CASE: Canaries with Ingress

In this example, Jane is an application developer who starts out figuring that she'll want mesh functionality at some future point. All she wants is to get a mesh running so she can experiment: she doesn't particularly care about whether she gets a mesh operator or multiple mesh classes or any of that, she just wants basic functionality quickly.

By trade, Jane is a microservice developer for Genius Bakeries, which does online baked goods. She's working mostly with the piece of the system that allows orders to be placed (the orders workload within the bakery namespace). She's already using CoolIngress™ for ingress, and from there she's discovered CoolMesh™.

It's very important to bear in mind that Jane is very, very busy. She really does not have time to go messing about with infrastructure: she wants to focus on her job. As such, she may or may not use Kubernetes perfectly – in her mind, if it's running and does what her users need, that's good enough.

  1. The order-processing workload that Jane works on is already running in the bakery namespace:

    ---
apiVersion: v1
kind: Service
metadata:
  name: orders
  namespace: bakery
spec:
  selector:
    genius-app: bakery
    workload: orders
  ...
---
apiVersion: v1
kind: Service
metadata:
  name: orders-v1
  namespace: bakery
spec:
  selector:
    genius-app: bakery
    workload: orders
    version: v1
  ...
---
apiVersion: v1
kind: Service
metadata:
  name: orders-v2
  namespace: bakery
spec:
  selector:
    genius-app: bakery
    workload: orders
    version: v2
  ...
---
apiVersion: v1
kind: Deployment
metadata:
  name: orders-v1
  namespace: bakery
spec:
  selector:
    matchLabels:
      genius-app: bakery
      workload: orders
      version: v1
  template:
    metadata:
      labels:
        genius-app: bakery
        workload: orders
        version: v1
    ...
  ...
 ---
 apiVersion: v1
 kind: Deployment
 metadata:
   name: orders-v2
   namespace: bakery
 spec:
   selector:
     matchLabels:
       genius-app: bakery
       workload: orders
       version: v2
   template:
     metadata:
       labels:
         genius-app: bakery
         workload: orders
         version: v2
     ...
   ...

    The order workload has two versions (v1 and v2) currently being deployed as part of a canary rollout. These are both exposed under a single orders service, as well as version-specific services.

  2. Since Jane is already using CoolIngress™, she already has to have an HttpRoute to tell CoolIngress™ about the orders workload. It probably looks something like this, allowing a 80%/20% weighting to the services:

    apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: orders-routes
  namespace: orders
spec:
  parentRefs:
  - kind: Gateway
    name: cluster-gateway
    namespace: infra
  hostnames: ["orders.example.com"]
  rules:
  - backendRefs:
    - name: orders-v1
      port: 80
      weight: 4
    - name: orders-v1
      port: 80
      weight: 1

  3. However, Jane finds that while this works great for traffic coming from the internet, requests from within the cluster are not following these canary rules. As soon as she rolls out v2, it starts getting 50% of the traffic, introducing substantial risk. Jane has read that service meshes can help with this problem, so she starts her CoolMesh™ journey by installing CoolMesh™ using its Helm chart:

    helm install cool-mesh

  4. The quickstart for CoolMesh™ says that, as part of the installation, a Mesh resource is automatically created.

    $ kubectl get mesh
NAME       CONTROLLER                    ACCEPTED   AGE
coolmesh   coolmesh.io/mesh-controller   True       33m

    Great, it is there

  5. The quickstart also says that if she's using CoolIngress™, she needs to add a label to her namespaces to enroll them into the mesh:

    $ kubectl label namespace client coolmesh.io/injection=enabled

    Now she can see in the CoolMesh™ dashboard that she's getting mTLS everywhere, and that CoolMesh™ is showing her stats, and that's cool enough that she doesn't much mind... but mesh clients are still not following the canary rules that the gateway follows.

  6. Next she reads she should setup a route attached to the Mesh, instead of a Gateway:

    apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: orders-routes
  namespace: orders
spec:
  parentRefs:
  - kind: Mesh
    name: coolmesh
  services:
  - name: orders
  rules:
  - backendRefs:
    - name: orders-v1
      port: 80
      weight: 4
    - name: orders-v1
      port: 80
      weight: 1

    Its a bit unfortunate that we cannot use the same rules for Mesh and Gateway. The issue is we need services associated with Mesh, but hostnames associated with Gateway.

Raw
demo-install.yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istiod
namespace: istio-system
labels:
app: istiod
release: istio
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole-istio-system
labels:
app: istio-reader
release: istio
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole-istio-system
labels:
app: istiod
release: istio
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update", "patch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gatewayclasses"]
verbs: ["create", "update", "patch", "delete"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: [ "get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-gateway-controller-istio-system
labels:
app: istiod
release: istio
rules:
- apiGroups: ["apps"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "deployments" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "services" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole-istio-system
labels:
app: istio-reader
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole-istio-system
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole-istio-system
labels:
app: istiod
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole-istio-system
subjects:
- kind: ServiceAccount
name: istiod
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-gateway-controller-istio-system
labels:
app: istiod
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-gateway-controller-istio-system
subjects:
- kind: ServiceAccount
name: istiod
namespace: istio-system
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator-istio-system
labels:
app: istiod
release: istio
istio: istiod
istio.io/rev: default
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
service:
name: istiod
namespace: istio-system
path: "/validate"
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "default"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
release: istio
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
networks: {}
mesh: |-
defaultConfig:
discoveryAddress: istiod.istio-system.svc:15012
proxyMetadata: {}
tracing:
zipkin:
address: zipkin.istio-system:9411
enablePrometheusMerge: true
rootNamespace: istio-system
trustDomain: cluster.local
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
release: istio
data:
values: |-
{
"global": {
"autoscalingv2API": true,
"caAddress": "",
"caName": "",
"configCluster": false,
"configValidation": true,
"defaultNodeSelector": {},
"defaultPodDisruptionBudget": {
"enabled": true
},
"defaultResources": {
"requests": {
"cpu": "10m"
}
},
"enabled": false,
"externalIstiod": false,
"hub": "gcr.io/howardjohn-istio",
"imagePullPolicy": "",
"imagePullSecrets": [],
"istioNamespace": "istio-system",
"istiod": {
"enableAnalysis": false
},
"jwtPolicy": "third-party-jwt",
"logAsJson": false,
"logging": {
"level": "default:info"
},
"meshID": "",
"meshNetworks": {},
"mountMtlsCerts": false,
"multiCluster": {
"clusterName": "",
"enabled": false
},
"namespace": "istio-system",
"network": "",
"omitSidecarInjectorConfigMap": false,
"oneNamespace": false,
"operatorManageWebhooks": false,
"pilotCertProvider": "istiod",
"priorityClassName": "",
"proxy": {
"autoInject": "enabled",
"clusterDomain": "cluster.local",
"componentLogLevel": "misc:error",
"enableCoreDump": false,
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
"holdApplicationUntilProxyStarts": false,
"image": "proxyv2",
"includeIPRanges": "*",
"includeInboundPorts": "*",
"includeOutboundPorts": "",
"logLevel": "warning",
"privileged": false,
"readinessFailureThreshold": 30,
"readinessInitialDelaySeconds": 1,
"readinessPeriodSeconds": 2,
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "100m",
"memory": "128Mi"
}
},
"statusPort": 15020,
"tracer": "zipkin"
},
"proxy_init": {
"image": "proxyv2",
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "10m",
"memory": "10Mi"
}
}
},
"remotePilotAddress": "",
"sds": {
"token": {
"aud": "istio-ca"
}
},
"sts": {
"servicePort": 0
},
"tag": "gateway-mesh-experimental-v1",
"tracer": {
"datadog": {
"address": "$(HOST_IP):8126"
},
"lightstep": {
"accessToken": "",
"address": ""
},
"stackdriver": {
"debug": false,
"maxNumberOfAnnotations": 200,
"maxNumberOfAttributes": 200,
"maxNumberOfMessageEvents": 200
},
"zipkin": {
"address": ""
}
},
"useMCP": false,
"variant": ""
},
"istio_cni": {
"enabled": false
},
"revision": "",
"sidecarInjectorWebhook": {
"alwaysInjectSelector": [],
"defaultTemplates": [],
"enableNamespacesByDefault": false,
"injectedAnnotations": {},
"neverInjectSelector": [],
"rewriteAppHTTPProbe": true,
"templates": {}
}
}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
defaultTemplates: [sidecar]
policy: enabled
alwaysInjectSelector:
[]
neverInjectSelector:
[]
injectedAnnotations:
template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}"
templates:
sidecar: |
{{- define "resources" }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
{{- if ge (len $containers) 1 }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{- end }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{- end }}
{{- end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
{{- end }}
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
{{- end }}
}
spec:
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if .Values.istio_cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .ProxyImage }}"
{{- end }}
args:
- istio-iptables
- "-p"
- {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
- "-z"
- "15006"
- "-u"
- "1337"
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else }}
- "15090,15021"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- "-q"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{ end -}}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
- "-c"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
{{ end -}}
- "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
{{ if .Values.global.logAsJson -}}
- "--log_as_json"
{{ end -}}
{{ if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
resources:
{{ template "resources" . }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not .Values.istio_cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
{{- if not .Values.istio_cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .ProxyImage }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources:
{{ template "resources" . }}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .ProxyImage }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .EstimatedConcurrency 0 }}
- --concurrency
- "{{ .EstimatedConcurrency }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- else if $holdProxy }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end }}
env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
{{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
allowPrivilegeEscalation: true
capabilities:
add:
- NET_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
runAsGroup: 1337
fsGroup: 1337
runAsNonRoot: false
runAsUser: 0
{{- else }}
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end }}
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
{{- end }}
resources:
{{ template "resources" . }}
volumeMounts:
- name: workload-socket
mountPath: /var/run/secrets/workload-spiffe-uds
- name: credential-socket
mountPath: /var/run/secrets/credential-uds
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
mountPath: /var/run/secrets/workload-spiffe-credentials
readOnly: true
{{- else }}
- name: workload-certs
mountPath: /var/run/secrets/workload-spiffe-credentials
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
- emptyDir:
name: workload-socket
- emptyDir:
name: credential-socket
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
csi:
driver: workloadcertificates.security.cloud.google.com
{{- else }}
- emptyDir:
name: workload-certs
{{- end }}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
gateway: |
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .ProxyImage }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
- name: workload-socket
mountPath: /var/run/secrets/workload-spiffe-uds
- name: credential-socket
mountPath: /var/run/secrets/credential-uds
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
mountPath: /var/run/secrets/workload-spiffe-credentials
readOnly: true
{{- else }}
- name: workload-certs
mountPath: /var/run/secrets/workload-spiffe-credentials
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
- emptyDir: {}
name: workload-socket
- emptyDir: {}
name: credential-socket
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
csi:
driver: workloadcertificates.security.cloud.google.com
{{- else}}
- emptyDir: {}
name: workload-certs
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
grpc-simple: |
metadata:
sidecar.istio.io/rewriteAppHTTPProbers: "false"
spec:
initContainers:
- name: grpc-bootstrap-init
image: busybox:1.28
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
env:
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_NAMESPACE
value: |
{{ .Values.global.istioNamespace }}
command:
- sh
- "-c"
- |-
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
echo '
{
"xds_servers": [
{
"server_uri": "'${SERVER_URI}'",
"channel_creds": [{"type": "insecure"}],
"server_features" : ["xds_v3"]
}
],
"node": {
"id": "'${NODE_ID}'",
"metadata": {
"GENERATOR": "grpc"
}
}
}' > /var/lib/grpc/data/bootstrap.json
containers:
{{- range $index, $container := .Spec.Containers }}
- name: {{ $container.Name }}
env:
- name: GRPC_XDS_BOOTSTRAP
value: /var/lib/grpc/data/bootstrap.json
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
value: "99"
- name: GRPC_GO_LOG_SEVERITY_LEVEL
value: info
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
{{- end }}
volumes:
- name: grpc-io-proxyless-bootstrap
emptyDir: {}
grpc-agent: |
{{- define "resources" }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
{{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
{{- if ge (len $containers) 1 }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{- end }}
{{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{- end }}
{{- end }}
sidecar.istio.io/rewriteAppHTTPProbers: "false",
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .ProxyImage }}"
{{- end }}
ports:
- containerPort: 15020
protocol: TCP
name: mesh-metrics
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
- --url=http://localhost:15020/healthz/ready
env:
- name: ISTIO_META_GENERATOR
value: grpc
- name: OUTPUT_CERTS
value: /var/lib/istio/data
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
# grpc uses xds:/// to resolve – no need to resolve VIP
- name: ISTIO_META_DNS_CAPTURE
value: "false"
- name: DISABLE_ENVOY
value: "true"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15020
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
resources:
{{ template "resources" . }}
volumeMounts:
- name: workload-socket
mountPath: /var/run/secrets/workload-spiffe-uds
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
mountPath: /var/run/secrets/workload-spiffe-credentials
readOnly: true
{{- else }}
- name: workload-certs
mountPath: /var/run/secrets/workload-spiffe-credentials
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
{{- range $index, $container := .Spec.Containers }}
{{ if not (eq $container.Name "istio-proxy") }}
- name: {{ $container.Name }}
env:
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
value: "true"
- name: "GRPC_XDS_BOOTSTRAP"
value: "/etc/istio/proxy/grpc-bootstrap.json"
volumeMounts:
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
mountPath: /var/run/secrets/workload-spiffe-credentials
readOnly: true
{{- else }}
- name: workload-certs
mountPath: /var/run/secrets/workload-spiffe-credentials
{{- end }}
{{- end }}
{{- end }}
volumes:
- emptyDir:
name: workload-socket
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
csi:
driver: workloadcertificates.security.cloud.google.com
{{- else }}
- emptyDir:
name: workload-certs
{{- end }}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-xds
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
labels:
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: istio
webhooks:
- name: rev.namespace.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "default"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- name: rev.object.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "default"
- name: namespace.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- name: object.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod
namespace: istio-system
labels:
app: istiod
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
istio: pilot
release: istio
spec:
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
selector:
matchLabels:
istio: pilot
template:
metadata:
labels:
app: istiod
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
istio: pilot
annotations:
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istiod
securityContext:
fsGroup: 1337
containers:
- name: discovery
image: "gcr.io/howardjohn-istio/pilot:gateway-mesh-experimental-v1"
args:
- "discovery"
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --keepaliveMaxServerConnectionAge
- "30m"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "default"
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
- name: PILOT_TRACE_SAMPLING
value: "1"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "true"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "true"
- name: ISTIOD_ADDR
value: istiod.istio-system.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "false"
- name: CLUSTER_ID
value: "Kubernetes"
resources:
requests:
cpu: 500m
memory: 2048Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: istiod
namespace: istio-system
labels:
app: istiod
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
release: istio
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
istio: pilot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod
namespace: istio-system
labels:
app: istiod
release: istio
rules:
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod
namespace: istio-system
labels:
app: istiod
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod
subjects:
- kind: ServiceAccount
name: istiod
namespace: istio-system
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: istiod
namespace: istio-system
labels:
app: istiod
release: istio
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
spec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
---
apiVersion: v1
kind: Service
metadata:
name: istiod
namespace: istio-system
labels:
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: istio
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gatewayclasses.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: GatewayClass
listKind: GatewayClassList
plural: gatewayclasses
shortNames:
- gc
singular: gatewayclass
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.controllerName
name: Controller
type: string
- jsonPath: .status.conditions[?(@.type=="Accepted")].status
name: Accepted
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.description
name: Description
priority: 1
type: string
name: v1alpha2
schema:
openAPIV3Schema:
description: "GatewayClass describes a class of Gateways available to the
user for creating Gateway resources. \n It is recommended that this resource
be used as a template for Gateways. This means that a Gateway is based on
the state of the GatewayClass at the time it was created and changes to
the GatewayClass or associated parameters are not propagated down to existing
Gateways. This recommendation is intended to limit the blast radius of changes
to GatewayClass or associated parameters. If implementations choose to propagate
GatewayClass changes to existing Gateways, that MUST be clearly documented
by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io`
finalizer on the associated GatewayClass. This ensures that a GatewayClass
associated with a Gateway is not deleted while in use. \n GatewayClass is
a Cluster level resource."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GatewayClass.
properties:
controllerName:
description: "ControllerName is the name of the controller that is
managing Gateways of this class. The value of this field MUST be
a domain prefixed path. \n Example: \"example.net/gateway-controller\".
\n This field is not mutable and cannot be empty. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
description:
description: Description helps describe a GatewayClass with more details.
maxLength: 64
type: string
parametersRef:
description: "ParametersRef is a reference to a resource that contains
the configuration parameters corresponding to the GatewayClass.
This is optional if the controller does not require any additional
configuration. \n ParametersRef can reference a standard Kubernetes
resource, i.e. ConfigMap, or an implementation-specific custom resource.
The resource can be cluster-scoped or namespace-scoped. \n If the
referent cannot be found, the GatewayClass's \"InvalidParameters\"
status condition will be true. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. This
field is required when referring to a Namespace-scoped resource
and MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- controllerName
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: Status defines the current state of GatewayClass.
properties:
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: "Conditions is the current status from the controller
for this GatewayClass. \n Controllers should prefer to publish conditions
using values of GatewayClassConditionType for the type of each Condition."
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.controllerName
name: Controller
type: string
- jsonPath: .status.conditions[?(@.type=="Accepted")].status
name: Accepted
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.description
name: Description
priority: 1
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: "GatewayClass describes a class of Gateways available to the
user for creating Gateway resources. \n It is recommended that this resource
be used as a template for Gateways. This means that a Gateway is based on
the state of the GatewayClass at the time it was created and changes to
the GatewayClass or associated parameters are not propagated down to existing
Gateways. This recommendation is intended to limit the blast radius of changes
to GatewayClass or associated parameters. If implementations choose to propagate
GatewayClass changes to existing Gateways, that MUST be clearly documented
by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io`
finalizer on the associated GatewayClass. This ensures that a GatewayClass
associated with a Gateway is not deleted while in use. \n GatewayClass is
a Cluster level resource."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GatewayClass.
properties:
controllerName:
description: "ControllerName is the name of the controller that is
managing Gateways of this class. The value of this field MUST be
a domain prefixed path. \n Example: \"example.net/gateway-controller\".
\n This field is not mutable and cannot be empty. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
description:
description: Description helps describe a GatewayClass with more details.
maxLength: 64
type: string
parametersRef:
description: "ParametersRef is a reference to a resource that contains
the configuration parameters corresponding to the GatewayClass.
This is optional if the controller does not require any additional
configuration. \n ParametersRef can reference a standard Kubernetes
resource, i.e. ConfigMap, or an implementation-specific custom resource.
The resource can be cluster-scoped or namespace-scoped. \n If the
referent cannot be found, the GatewayClass's \"InvalidParameters\"
status condition will be true. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. This
field is required when referring to a Namespace-scoped resource
and MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- controllerName
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: Status defines the current state of GatewayClass.
properties:
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: "Conditions is the current status from the controller
for this GatewayClass. \n Controllers should prefer to publish conditions
using values of GatewayClassConditionType for the type of each Condition."
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gateways.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: Gateway
listKind: GatewayList
plural: gateways
shortNames:
- gtw
singular: gateway
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.gatewayClassName
name: Class
type: string
- jsonPath: .status.addresses[*].value
name: Address
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: Gateway represents an instance of a service-traffic handling
infrastructure by binding Listeners to a set of IP addresses.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
description: "Addresses requested for this Gateway. This is optional
and behavior can depend on the implementation. If a value is set
in the spec and the requested address is invalid or unavailable,
the implementation MUST indicate this in the associated entry in
GatewayStatus.Addresses. \n The Addresses field represents a request
for the address(es) on the \"outside of the Gateway\", that traffic
bound for this Gateway will use. This could be the IP address or
hostname of an external load balancer or other networking infrastructure,
or some other address that traffic will be sent to. \n The .listener.hostname
field is used to route traffic that has already arrived at the Gateway
to the correct in-cluster destination. \n If no Addresses are specified,
the implementation MAY schedule the Gateway in an implementation-specific
manner, assigning an appropriate set of Addresses. \n The implementation
MUST bind all Listeners to every GatewayAddress that it assigns
to the Gateway and add a corresponding entry in GatewayStatus.Addresses.
\n Support: Extended"
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values
will depend on the type and support by the controller. \n
Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
gatewayClassName:
description: GatewayClassName used for this Gateway. This is the name
of a GatewayClass resource.
maxLength: 253
minLength: 1
type: string
listeners:
description: "Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses. At
least one Listener MUST be specified. \n Each listener in a Gateway
must have a unique combination of Hostname, Port, and Protocol.
\n An implementation MAY group Listeners by Port and then collapse
each group of Listeners into a single Listener if the implementation
determines that the Listeners in the group are \"compatible\". An
implementation MAY also group together and collapse compatible Listeners
belonging to different Gateways. \n For example, an implementation
might consider Listeners to be compatible with each other if all
of the following conditions are met: \n 1. Either each Listener
within the group specifies the \"HTTP\" Protocol or each Listener
within the group specifies either the \"HTTPS\" or \"TLS\" Protocol.
\n 2. Each Listener within the group specifies a Hostname that is
unique within the group. \n 3. As a special case, one Listener
within a group may omit Hostname, in which case this Listener
matches when no other Listener matches. \n If the implementation
does collapse compatible Listeners, the hostname provided in the
incoming client request MUST be matched to a Listener to find the
correct set of Routes. The incoming hostname MUST be matched using
the Hostname field for each Listener in order of most to least specific.
That is, exact matches must be processed before wildcard matches.
\n If this field specifies multiple Listeners that have the same
Port value but are not compatible, the implementation must raise
a \"Conflicted\" condition in the Listener status. \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint
where a Gateway accepts network connections.
properties:
allowedRoutes:
default:
namespaces:
from: Same
description: "AllowedRoutes defines the types of routes that
MAY be attached to a Listener and the trusted namespaces where
those Route resources MAY be present. \n Although a client
request may match multiple route rules, only one rule may
ultimately receive the request. Matching precedence MUST be
determined in order of the following criteria: \n * The most
specific match as defined by the Route type. * The oldest
Route based on creation timestamp. For example, a Route with
\ a creation timestamp of \"2020-09-08 01:02:03\" is given
precedence over a Route with a creation timestamp of \"2020-09-08
01:02:04\". * If everything else is equivalent, the Route
appearing first in alphabetical order (namespace/name) should
be given precedence. For example, foo/bar is given precedence
over foo/baz. \n All valid rules within a Route attached to
this Listener should be implemented. Invalid Route rules can
be ignored (sometimes that will mean the full Route). If a
Route rule transitions from valid to invalid, support for
that Route rule should be dropped to ensure consistency. For
example, even if a filter specified by a Route rule is invalid,
the rest of the rules within that Route should still be supported.
\n Support: Core"
properties:
kinds:
description: "Kinds specifies the groups and kinds of Routes
that are allowed to bind to this Gateway Listener. When
unspecified or empty, the kinds of Routes selected are
determined using the Listener protocol. \n A RouteGroupKind
MUST correspond to kinds of Routes that are compatible
with the application protocol specified in the Listener's
Protocol field. If an implementation does not support
or recognize this resource type, it MUST set the \"ResolvedRefs\"
condition to False for this Listener with the \"InvalidRouteKinds\"
reason. \n Support: Core"
items:
description: RouteGroupKind indicates the group and kind
of a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
namespaces:
default:
from: Same
description: "Namespaces indicates namespaces from which
Routes may be attached to this Listener. This is restricted
to the namespace of this Gateway by default. \n Support:
Core"
properties:
from:
default: Same
description: "From indicates where Routes will be selected
for this Gateway. Possible values are: * All: Routes
in all namespaces may be used by this Gateway. * Selector:
Routes in namespaces selected by the selector may
be used by this Gateway. * Same: Only Routes in
the same namespace may be used by this Gateway. \n
Support: Core"
enum:
- All
- Selector
- Same
type: string
selector:
description: "Selector must be specified when From is
set to \"Selector\". In that case, only Routes in
Namespaces matching this Selector will be selected
by this Gateway. This field is ignored for other values
of \"From\". \n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
type: object
hostname:
description: "Hostname specifies the virtual hostname to match
for protocol types that define this concept. When unspecified,
all hostnames are matched. This field is ignored for protocols
that don't require hostname based matching. \n Implementations
MUST apply Hostname matching appropriately for each of the
following protocols: \n * TLS: The Listener Hostname MUST
match the SNI. * HTTP: The Listener Hostname MUST match the
Host header of the request. * HTTPS: The Listener Hostname
SHOULD match at both the TLS and HTTP protocol layers as
described above. If an implementation does not ensure that
both the SNI and Host header match the Listener hostname,
\ it MUST clearly document that. \n For HTTPRoute and TLSRoute
resources, there is an interaction with the `spec.hostnames`
array. When both listener and route specify hostnames, there
MUST be an intersection between the values for a Route to
be accepted. For more information, refer to the Route specific
Hostnames documentation. \n Hostnames that are prefixed with
a wildcard label (`*.`) are interpreted as a suffix match.
That means that a match for `*.example.com` would match both
`test.example.com`, and `foo.test.example.com`, but not `example.com`.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
name:
description: "Name is the name of the Listener. This name MUST
be unique within a Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
description: "Port is the network port. Multiple listeners may
use the same port, subject to the Listener compatibility rules.
\n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: "Protocol specifies the network protocol this listener
expects to receive. \n Support: Core"
maxLength: 255
minLength: 1
pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
type: string
tls:
description: "TLS is the TLS configuration for the Listener.
This field is required if the Protocol field is \"HTTPS\"
or \"TLS\". It is invalid to set this field if the Protocol
field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
of SNIs to Certificate defined in GatewayTLSConfig is defined
based on the Hostname field for this listener. \n The GatewayClass
MUST use the longest matching SNI out of all available certificates
for any TLS handshake. \n Support: Core"
properties:
certificateRefs:
description: "CertificateRefs contains a series of references
to Kubernetes objects that contains TLS certificates and
private keys. These certificates are used to establish
a TLS handshake for requests that match the hostname of
the associated listener. \n A single CertificateRef to
a Kubernetes Secret has \"Core\" support. Implementations
MAY choose to support attaching multiple certificates
to a Listener, but this behavior is implementation-specific.
\n References to a resource in different namespace are
invalid UNLESS there is a ReferenceGrant in the target
namespace that allows the certificate to be attached.
If a ReferenceGrant does not allow this reference, the
\"ResolvedRefs\" condition MUST be set to False for this
listener with the \"InvalidCertificateRef\" reason. \n
This field is required to have at least one element when
the mode is set to \"Terminate\" (default) and is optional
otherwise. \n CertificateRefs can reference to standard
Kubernetes resources, i.e. Secret, or implementation-specific
custom resources. \n Support: Core - A single reference
to a Kubernetes Secret of type kubernetes.io/tls \n Support:
Implementation-specific (More than one reference or other
resource types)"
items:
description: "SecretObjectReference identifies an API
object including its namespace, defaulting to Secret.
\n The API object must be valid in the cluster; the
Group and Kind must be registered in the cluster for
this reference to be valid. \n References to objects
with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For
example, "networking.k8s.io". When unspecified (empty
string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred.
\n Note that when a different namespace is specified,
a ReferenceGrant object with ReferenceGrantTo.Kind=Secret
is required in the referent namespace to allow that
namespace's owner to accept the reference. See the
ReferenceGrant documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 64
type: array
mode:
default: Terminate
description: "Mode defines the TLS behavior for the TLS
session initiated by the client. There are two possible
modes: \n - Terminate: The TLS session between the downstream
client and the Gateway is terminated at the Gateway.
This mode requires certificateRefs to be set and contain
at least one element. - Passthrough: The TLS session is
NOT terminated by the Gateway. This implies that the
Gateway can't decipher the TLS stream except for the
ClientHello message of the TLS protocol. CertificateRefs
field is ignored in this mode. \n Support: Core"
enum:
- Terminate
- Passthrough
type: string
options:
additionalProperties:
description: AnnotationValue is the value of an annotation
in Gateway API. This is used for validation of maps
such as TLS options. This roughly matches Kubernetes
annotation validation, although the length validation
in that case is based on the entire size of the annotations
struct.
maxLength: 4096
minLength: 0
type: string
description: "Options are a list of key/value pairs to enable
extended TLS configuration for each implementation. For
example, configuring the minimum TLS version or supported
cipher suites. \n A set of common keys MAY be defined
by the API in the future. To avoid any ambiguity, implementation-specific
definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
Un-prefixed names are reserved for key names defined by
Gateway API. \n Support: Implementation-specific"
maxProperties: 16
type: object
type: object
required:
- name
- port
- protocol
type: object
maxItems: 64
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
required:
- gatewayClassName
- listeners
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: NotReconciled
status: Unknown
type: Scheduled
description: Status defines the current state of Gateway.
properties:
addresses:
description: Addresses lists the IP addresses that have actually been
bound to the Gateway. These addresses may differ from the addresses
in the Spec, e.g. if the Gateway automatically assigns an address
from a reserved pool.
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values
will depend on the type and support by the controller. \n
Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: NotReconciled
status: Unknown
type: Scheduled
description: "Conditions describe the current conditions of the Gateway.
\n Implementations should prefer to express Gateway conditions using
the `GatewayConditionType` and `GatewayConditionReason` constants
so that operators and tools can converge on a common vocabulary
to describe Gateway state. \n Known condition types are: \n * \"Scheduled\"
* \"Ready\""
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
listeners:
description: Listeners provide status for each unique listener port
defined in the Spec.
items:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
description: AttachedRoutes represents the total number of Routes
that have been successfully attached to this Listener.
format: int32
type: integer
conditions:
description: Conditions describe the current condition of this
listener.
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
name:
description: Name is the name of the Listener that this status
corresponds to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
supportedKinds:
description: "SupportedKinds is the list indicating the Kinds
supported by this listener. This MUST represent the kinds
an implementation supports for that Listener configuration.
\n If kinds are specified in Spec that are not supported,
they MUST NOT appear in this list and an implementation MUST
set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
reason. If both valid and invalid Route kinds are specified,
the implementation MUST reference the valid Route kinds that
have been specified."
items:
description: RouteGroupKind indicates the group and kind of
a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
required:
- attachedRoutes
- conditions
- name
- supportedKinds
type: object
maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.gatewayClassName
name: Class
type: string
- jsonPath: .status.addresses[*].value
name: Address
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: Gateway represents an instance of a service-traffic handling
infrastructure by binding Listeners to a set of IP addresses.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
description: "Addresses requested for this Gateway. This is optional
and behavior can depend on the implementation. If a value is set
in the spec and the requested address is invalid or unavailable,
the implementation MUST indicate this in the associated entry in
GatewayStatus.Addresses. \n The Addresses field represents a request
for the address(es) on the \"outside of the Gateway\", that traffic
bound for this Gateway will use. This could be the IP address or
hostname of an external load balancer or other networking infrastructure,
or some other address that traffic will be sent to. \n The .listener.hostname
field is used to route traffic that has already arrived at the Gateway
to the correct in-cluster destination. \n If no Addresses are specified,
the implementation MAY schedule the Gateway in an implementation-specific
manner, assigning an appropriate set of Addresses. \n The implementation
MUST bind all Listeners to every GatewayAddress that it assigns
to the Gateway and add a corresponding entry in GatewayStatus.Addresses.
\n Support: Extended"
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values
will depend on the type and support by the controller. \n
Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
gatewayClassName:
description: GatewayClassName used for this Gateway. This is the name
of a GatewayClass resource.
maxLength: 253
minLength: 1
type: string
listeners:
description: "Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses. At
least one Listener MUST be specified. \n Each listener in a Gateway
must have a unique combination of Hostname, Port, and Protocol.
\n An implementation MAY group Listeners by Port and then collapse
each group of Listeners into a single Listener if the implementation
determines that the Listeners in the group are \"compatible\". An
implementation MAY also group together and collapse compatible Listeners
belonging to different Gateways. \n For example, an implementation
might consider Listeners to be compatible with each other if all
of the following conditions are met: \n 1. Either each Listener
within the group specifies the \"HTTP\" Protocol or each Listener
within the group specifies either the \"HTTPS\" or \"TLS\" Protocol.
\n 2. Each Listener within the group specifies a Hostname that is
unique within the group. \n 3. As a special case, one Listener
within a group may omit Hostname, in which case this Listener
matches when no other Listener matches. \n If the implementation
does collapse compatible Listeners, the hostname provided in the
incoming client request MUST be matched to a Listener to find the
correct set of Routes. The incoming hostname MUST be matched using
the Hostname field for each Listener in order of most to least specific.
That is, exact matches must be processed before wildcard matches.
\n If this field specifies multiple Listeners that have the same
Port value but are not compatible, the implementation must raise
a \"Conflicted\" condition in the Listener status. \n Support: Core"
items:
description: Listener embodies the concept of a logical endpoint
where a Gateway accepts network connections.
properties:
allowedRoutes:
default:
namespaces:
from: Same
description: "AllowedRoutes defines the types of routes that
MAY be attached to a Listener and the trusted namespaces where
those Route resources MAY be present. \n Although a client
request may match multiple route rules, only one rule may
ultimately receive the request. Matching precedence MUST be
determined in order of the following criteria: \n * The most
specific match as defined by the Route type. * The oldest
Route based on creation timestamp. For example, a Route with
\ a creation timestamp of \"2020-09-08 01:02:03\" is given
precedence over a Route with a creation timestamp of \"2020-09-08
01:02:04\". * If everything else is equivalent, the Route
appearing first in alphabetical order (namespace/name) should
be given precedence. For example, foo/bar is given precedence
over foo/baz. \n All valid rules within a Route attached to
this Listener should be implemented. Invalid Route rules can
be ignored (sometimes that will mean the full Route). If a
Route rule transitions from valid to invalid, support for
that Route rule should be dropped to ensure consistency. For
example, even if a filter specified by a Route rule is invalid,
the rest of the rules within that Route should still be supported.
\n Support: Core"
properties:
kinds:
description: "Kinds specifies the groups and kinds of Routes
that are allowed to bind to this Gateway Listener. When
unspecified or empty, the kinds of Routes selected are
determined using the Listener protocol. \n A RouteGroupKind
MUST correspond to kinds of Routes that are compatible
with the application protocol specified in the Listener's
Protocol field. If an implementation does not support
or recognize this resource type, it MUST set the \"ResolvedRefs\"
condition to False for this Listener with the \"InvalidRouteKinds\"
reason. \n Support: Core"
items:
description: RouteGroupKind indicates the group and kind
of a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
namespaces:
default:
from: Same
description: "Namespaces indicates namespaces from which
Routes may be attached to this Listener. This is restricted
to the namespace of this Gateway by default. \n Support:
Core"
properties:
from:
default: Same
description: "From indicates where Routes will be selected
for this Gateway. Possible values are: * All: Routes
in all namespaces may be used by this Gateway. * Selector:
Routes in namespaces selected by the selector may
be used by this Gateway. * Same: Only Routes in
the same namespace may be used by this Gateway. \n
Support: Core"
enum:
- All
- Selector
- Same
type: string
selector:
description: "Selector must be specified when From is
set to \"Selector\". In that case, only Routes in
Namespaces matching this Selector will be selected
by this Gateway. This field is ignored for other values
of \"From\". \n Support: Core"
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
type: object
hostname:
description: "Hostname specifies the virtual hostname to match
for protocol types that define this concept. When unspecified,
all hostnames are matched. This field is ignored for protocols
that don't require hostname based matching. \n Implementations
MUST apply Hostname matching appropriately for each of the
following protocols: \n * TLS: The Listener Hostname MUST
match the SNI. * HTTP: The Listener Hostname MUST match the
Host header of the request. * HTTPS: The Listener Hostname
SHOULD match at both the TLS and HTTP protocol layers as
described above. If an implementation does not ensure that
both the SNI and Host header match the Listener hostname,
\ it MUST clearly document that. \n For HTTPRoute and TLSRoute
resources, there is an interaction with the `spec.hostnames`
array. When both listener and route specify hostnames, there
MUST be an intersection between the values for a Route to
be accepted. For more information, refer to the Route specific
Hostnames documentation. \n Hostnames that are prefixed with
a wildcard label (`*.`) are interpreted as a suffix match.
That means that a match for `*.example.com` would match both
`test.example.com`, and `foo.test.example.com`, but not `example.com`.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
name:
description: "Name is the name of the Listener. This name MUST
be unique within a Gateway. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
description: "Port is the network port. Multiple listeners may
use the same port, subject to the Listener compatibility rules.
\n Support: Core"
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: "Protocol specifies the network protocol this listener
expects to receive. \n Support: Core"
maxLength: 255
minLength: 1
pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
type: string
tls:
description: "TLS is the TLS configuration for the Listener.
This field is required if the Protocol field is \"HTTPS\"
or \"TLS\". It is invalid to set this field if the Protocol
field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
of SNIs to Certificate defined in GatewayTLSConfig is defined
based on the Hostname field for this listener. \n The GatewayClass
MUST use the longest matching SNI out of all available certificates
for any TLS handshake. \n Support: Core"
properties:
certificateRefs:
description: "CertificateRefs contains a series of references
to Kubernetes objects that contains TLS certificates and
private keys. These certificates are used to establish
a TLS handshake for requests that match the hostname of
the associated listener. \n A single CertificateRef to
a Kubernetes Secret has \"Core\" support. Implementations
MAY choose to support attaching multiple certificates
to a Listener, but this behavior is implementation-specific.
\n References to a resource in different namespace are
invalid UNLESS there is a ReferenceGrant in the target
namespace that allows the certificate to be attached.
If a ReferenceGrant does not allow this reference, the
\"ResolvedRefs\" condition MUST be set to False for this
listener with the \"InvalidCertificateRef\" reason. \n
This field is required to have at least one element when
the mode is set to \"Terminate\" (default) and is optional
otherwise. \n CertificateRefs can reference to standard
Kubernetes resources, i.e. Secret, or implementation-specific
custom resources. \n Support: Core - A single reference
to a Kubernetes Secret of type kubernetes.io/tls \n Support:
Implementation-specific (More than one reference or other
resource types)"
items:
description: "SecretObjectReference identifies an API
object including its namespace, defaulting to Secret.
\n The API object must be valid in the cluster; the
Group and Kind must be registered in the cluster for
this reference to be valid. \n References to objects
with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For
example, "networking.k8s.io". When unspecified (empty
string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred.
\n Note that when a namespace is specified, a ReferenceGrant
object is required in the referent namespace to
allow that namespace's owner to accept the reference.
See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
maxItems: 64
type: array
mode:
default: Terminate
description: "Mode defines the TLS behavior for the TLS
session initiated by the client. There are two possible
modes: \n - Terminate: The TLS session between the downstream
client and the Gateway is terminated at the Gateway.
This mode requires certificateRefs to be set and contain
at least one element. - Passthrough: The TLS session is
NOT terminated by the Gateway. This implies that the
Gateway can't decipher the TLS stream except for the
ClientHello message of the TLS protocol. CertificateRefs
field is ignored in this mode. \n Support: Core"
enum:
- Terminate
- Passthrough
type: string
options:
additionalProperties:
description: AnnotationValue is the value of an annotation
in Gateway API. This is used for validation of maps
such as TLS options. This roughly matches Kubernetes
annotation validation, although the length validation
in that case is based on the entire size of the annotations
struct.
maxLength: 4096
minLength: 0
type: string
description: "Options are a list of key/value pairs to enable
extended TLS configuration for each implementation. For
example, configuring the minimum TLS version or supported
cipher suites. \n A set of common keys MAY be defined
by the API in the future. To avoid any ambiguity, implementation-specific
definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
Un-prefixed names are reserved for key names defined by
Gateway API. \n Support: Implementation-specific"
maxProperties: 16
type: object
type: object
required:
- name
- port
- protocol
type: object
maxItems: 64
minItems: 1
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
required:
- gatewayClassName
- listeners
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: NotReconciled
status: Unknown
type: Scheduled
description: Status defines the current state of Gateway.
properties:
addresses:
description: Addresses lists the IP addresses that have actually been
bound to the Gateway. These addresses may differ from the addresses
in the Spec, e.g. if the Gateway automatically assigns an address
from a reserved pool.
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
properties:
type:
default: IPAddress
description: Type of the address.
maxLength: 253
minLength: 1
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
description: "Value of the address. The validity of the values
will depend on the type and support by the controller. \n
Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
maxLength: 253
minLength: 1
type: string
required:
- value
type: object
maxItems: 16
type: array
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: NotReconciled
status: Unknown
type: Scheduled
description: "Conditions describe the current conditions of the Gateway.
\n Implementations should prefer to express Gateway conditions using
the `GatewayConditionType` and `GatewayConditionReason` constants
so that operators and tools can converge on a common vocabulary
to describe Gateway state. \n Known condition types are: \n * \"Scheduled\"
* \"Ready\""
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
listeners:
description: Listeners provide status for each unique listener port
defined in the Spec.
items:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
description: AttachedRoutes represents the total number of Routes
that have been successfully attached to this Listener.
format: int32
type: integer
conditions:
description: Conditions describe the current condition of this
listener.
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
name:
description: Name is the name of the Listener that this status
corresponds to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
supportedKinds:
description: "SupportedKinds is the list indicating the Kinds
supported by this listener. This MUST represent the kinds
an implementation supports for that Listener configuration.
\n If kinds are specified in Spec that are not supported,
they MUST NOT appear in this list and an implementation MUST
set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
reason. If both valid and invalid Route kinds are specified,
the implementation MUST reference the valid Route kinds that
have been specified."
items:
description: RouteGroupKind indicates the group and kind of
a Route resource.
properties:
group:
default: gateway.networking.k8s.io
description: Group is the group of the Route.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is the kind of the Route.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
required:
- kind
type: object
maxItems: 8
type: array
required:
- attachedRoutes
- conditions
- name
- supportedKinds
type: object
maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: GRPCRoute
listKind: GRPCRouteList
plural: grpcroutes
singular: grpcroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.hostnames
name: Hostnames
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: "GRPCRoute provides a way to route gRPC requests. This includes
the capability to match requests by hostname, gRPC service, gRPC method,
or HTTP/2 header. Filters can be used to specify additional processing steps.
Backends specify where matching requests will be routed. \n GRPCRoute falls
under extended support within the Gateway API. Within the following specification,
the word \"MUST\" indicates that an implementation supporting GRPCRoute
must conform to the indicated requirement, but an implementation not supporting
need not follow the requirement unless explicitly indicated. \n Virtually
all existing gRPC connections happen directly over HTTP/2 without first
upgrading from HTTP/1. Nearly no server implementations support the upgrade
and next to no clients start with HTTP/1. As such, certain restrictions
are placed on implementations that claim support for GRPCRoute. \n Implementations
supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2
connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If
the implementation does not support this, then it MUST raise a \"Detached\"
condition for the affected listener with a reason of \"UnsupportedProtocol\".
Note that a compliant implementation MAY also accept HTTP/2 connections
with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with
the `HTTP` `ProtocolType` MUST support cleartext HTTP/2 without an initial
upgrade from HTTP/1.1. If the implementation does not support this, then
it MUST raise a \"Detached\" condition for the affected listener with a
reason of \"UnsupportedProtocol\". Note that a compliant implementation
MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Support:
Extended"
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of GRPCRoute.
properties:
hostnames:
description: "Hostnames defines a set of hostname to match against
the GRPC Host header to select a GRPCRoute to process the request.
This matches the RFC 1123 definition of a hostname with 2 notable
exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
with a wildcard label (`*.`). The wildcard label MUST appear
by itself as the first label. \n If a hostname is specified by both
the Listener and GRPCRoute, there MUST be at least one intersecting
hostname for the GRPCRoute to be attached to the Listener. For example:
\n * A Listener with `test.example.com` as the hostname matches
GRPCRoutes that have either not specified any hostnames, or have
specified at least one of `test.example.com` or `*.example.com`.
* A Listener with `*.example.com` as the hostname matches GRPCRoutes
\ that have either not specified any hostnames or have specified
at least one hostname that matches the Listener hostname. For
example, `test.example.com` and `*.example.com` would both match.
On the other hand, `example.com` and `test.example.net` would
not match. \n Hostnames that are prefixed with a wildcard label
(`*.`) are interpreted as a suffix match. That means that a match
for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`,
but not `example.com`. \n If both the Listener and GRPCRoute have
specified hostnames, any GRPCRoute hostnames that do not match the
Listener hostname MUST be ignored. For example, if a Listener specified
`*.example.com`, and the GRPCRoute specified `test.example.com`
and `test.example.net`, `test.example.net` MUST NOT be considered
for a match. \n If both the Listener and GRPCRoute have specified
hostnames, and none match with the criteria above, then the GRPCRoute
is not accepted. The implementation MUST raise an 'Accepted' Condition
with a status of `False` in the corresponding RouteParentStatus.
\n If a Route (A) of type HTTPRoute or GRPCRoute is attached to
a Listener and that listener already has another Route (B) of the
other type attached and the intersection of the hostnames of A and
B is non-empty, then the implementation MUST accept exactly one
of these two routes, determined by the following criteria, in order:
\n * The oldest Route based on creation timestamp. * The Route appearing
first in alphabetical order by \"{namespace}/{name}\". \n The
rejected Route MUST raise an 'Accepted' condition with a status
of 'False' in the corresponding RouteParentStatus. \n Support: Core"
items:
description: "Hostname is the fully qualified domain name of a network
host. This matches the RFC 1123 definition of a hostname with
2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
may be prefixed with a wildcard label (`*.`). The wildcard label
must appear by itself as the first label. \n Hostname can be \"precise\"
which is a domain name without the terminating dot of a network
host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
name prefixed with a single wildcard label (e.g. `*.example.com`).
\n Note that as per RFC1035 and RFC1123, a *label* must consist
of lower case alphanumeric characters or '-', and must start and
end with an alphanumeric character. No other punctuation is allowed."
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
type: array
parentRefs:
description: "ParentRefs references the resources (usually Gateways)
that a Route wants to be attached to. Note that the referenced parent
resource needs to allow this for the attachment to be complete.
For Gateways, that means the Gateway needs to allow attachment from
Routes of this kind and namespace. \n The only kind of parent resource
with \"Core\" support is Gateway. This API may be extended in the
future to support additional kinds of parent resources such as one
of the route kinds. \n It is invalid to reference an identical parent
more than once. It is valid to reference multiple distinct sections
within the same parent resource, such as 2 Listeners within a Gateway.
\n It is possible to separately reference multiple distinct objects
that may be collapsed by an implementation. For example, some implementations
may choose to merge compatible Gateway Listeners together. If that
is the case, the list of routes attached to those resources should
also be merged."
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
a route). The only kind of parent resource with \"Core\" support
is Gateway. This API may be extended in the future to support
additional kinds of parent resources, such as HTTPRoute. \n The
API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core
(Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When
unspecified, this refers to the local namespace of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It
can be interpreted differently based on the type of parent
resource. \n When the parent resource is a Gateway, this targets
all listeners listening on the specified port that also support
this kind of Route(and select this Route). It's not recommended
to set `Port` unless the networking behaviors specified in
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document how/if
Port is interpreted. \n For the purpose of status, an attachment
is considered successful as long as the parent resource accepts
it partially. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the
target resource. In the following resources, SectionName is
interpreted as the following: \n * Gateway: Listener Name.
When both Port (experimental) and SectionName are specified,
the name and port of the selected listener must match both
specified values. \n Implementations MAY choose to support
attaching Routes to other resources. If that is the case,
they MUST clearly document how SectionName is interpreted.
\n When unspecified (empty string), this will reference the
entire resource. For the purpose of status, an attachment
is considered successful if at least one section in the parent
resource accepts it. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
default:
- matches:
- method:
type: Exact
description: Rules are a list of GRPC matchers, filters and actions.
items:
description: GRPCRouteRule defines semantics for matching an gRPC
request based on conditions (matches), processing it (filters),
and forwarding the request to an API object (backendRefs).
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching
requests should be sent. \n Failure behavior here depends
on how many BackendRefs are specified and how many are invalid.
\n If *all* entries in BackendRefs are invalid, and there
are also no filters specified in this route rule, *all* traffic
which matches this rule MUST receive an `UNAVAILABLE` status.
\n See the GRPCBackendRef definition for the rules about what
makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef
is invalid, `UNAVAILABLE` statuses MUST be returned for requests
that would have otherwise been routed to an invalid backend.
If multiple backends are specified, and some are invalid,
the proportion of requests that would otherwise have been
routed to an invalid backend MUST receive an `UNAVAILABLE`
status. \n For example, if two backends are specified with
equal weights, and one is invalid, 50 percent of traffic MUST
receive an `UNAVAILABLE` status. Implementations may choose
how that 50 percent is determined. \n Support: Core for Kubernetes
Service \n Support: Custom for any other resource \n Support
for weight: Core"
items:
description: GRPCBackendRef defines how a GRPCRoute forwards
a gRPC request.
properties:
filters:
description: "Filters defined at this level MUST be executed
if and only if the request is being forwarded to the
backend defined here. \n Support: Custom (For broader
support of filters, use the Filters field in GRPCRouteRule.)"
items:
description: GRPCRouteFilter defines processing steps
that must be completed during the request or response
lifecycle. GRPCRouteFilters are meant as an extension
point to express processing that may be done in Gateway
implementations. Some examples include request or
response modification, implementing authentication
strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type
of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.example.net\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
For example, "networking.k8s.io". When unspecified
(empty string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For
example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema
for a filter that modifies request headers. \n
Support: Core"
properties:
add:
description: "Add adds the given header(s) (name,
value) to the request before the action. It
appends to any existing values associated
with the header name. \n Input: GET /foo
HTTP/1.1 my-header: foo \n Config: add:
\ - name: \"my-header\" value: \"bar\"
\n Output: GET /foo HTTP/1.1 my-header:
foo my-header: bar"
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
description: "Name is the name of the
HTTP Header to be matched. Name matching
MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an
equivalent name MUST be considered for
a match. Subsequent entries with an
equivalent header name MUST be ignored.
Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP
Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from
the HTTP request before the action. The value
of Remove is a list of HTTP header names.
Note that the header names are case-insensitive
(see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
\n Input: GET /foo HTTP/1.1 my-header1:
foo my-header2: bar my-header3: baz \n
Config: remove: [\"my-header1\", \"my-header3\"]
\n Output: GET /foo HTTP/1.1 my-header2:
bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with
the given header (name, value) before the
action. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: set: - name: \"my-header\"
\ value: \"bar\" \n Output: GET /foo
HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
description: "Name is the name of the
HTTP Header to be matched. Name matching
MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an
equivalent name MUST be considered for
a match. Subsequent entries with an
equivalent header name MUST be ignored.
Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP
Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for
a filter that mirrors requests. Requests are sent
to the specified destination, but responses from
that destination are ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource
where mirrored requests are sent. \n If the
referent cannot be found, this BackendRef
is invalid and must be dropped from the Gateway.
The controller must ensure the \"ResolvedRefs\"
condition on the Route status is set to `status:
False` and not configure this backend in the
underlying implementation. \n If there is
a cross-namespace reference to an *existing*
object that is not allowed by a ReferenceGrant,
the controller must ensure the \"ResolvedRefs\"
\ condition on the Route is set to `status:
False`, with the \"RefNotPermitted\" reason
and not configure this backend in the underlying
implementation. \n In either error case, the
Message of the `ResolvedRefs` Condition should
be used to provide more detail about the problem.
\n Support: Extended for Kubernetes Service
\n Support: Custom for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "networking.k8s.io". When
unspecified (empty string), core API group
is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent.
For example "HTTPRoute" or "Service".
Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace
of the backend. When unspecified, the
local namespace is inferred. \n Note that
when a different namespace is specified,
a ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace
to allow that namespace's owner to accept
the reference. See the ReferenceGrant
documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination
port number to use for this resource.
Port is required when the referent is
a Kubernetes Service. In this case, the
port number is the service port number,
not the target port. For other resources,
destination port might be derived from
the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
type:
description: "Type identifies the type of filter
to apply. As with other API fields, types are
classified into three conformance levels: \n -
Core: Filter types and their corresponding configuration
defined by \"Support: Core\" in this package,
e.g. \"RequestHeaderModifier\". All implementations
supporting GRPCRoute MUST support core filters.
\n - Extended: Filter types and their corresponding
configuration defined by \"Support: Extended\"
in this package, e.g. \"RequestMirror\". Implementers
\ are encouraged to support extended filters.
\n - Custom: Filters that are defined and supported
by specific vendors. In the future, filters
showing convergence in behavior across multiple
\ implementations will be considered for inclusion
in extended or core conformance levels. Filter-specific
configuration for such filters is specified
using the ExtensionRef field. `Type` MUST be set
to \"ExtensionRef\" for custom filters. \n Implementers
are encouraged to define custom implementation
types to extend the core API with implementation-specific
behavior. \n If a reference to a custom filter
type cannot be resolved, the filter MUST NOT be
skipped. Instead, requests that would have been
processed by that filter MUST receive a HTTP error
response. \n "
enum:
- RequestHeaderModifier
- RequestMirror
- ExtensionRef
type: string
required:
- type
type: object
maxItems: 16
type: array
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string),
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service". Defaults to "Service" when
not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred. \n
Note that when a different namespace is specified, a
ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number
to use for this resource. Port is required when the
referent is a Kubernetes Service. In this case, the
port number is the service port number, not the target
port. For other resources, destination port might be
derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests
forwarded to the referenced backend. This is computed
as weight/(sum of all weights in this BackendRefs list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support for this field varies based
on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
type: array
filters:
description: "Filters define the filters that are applied to
requests that match this rule. \n The effects of ordering
of multiple behaviors are currently unspecified. This can
change in the future based on feedback during the alpha stage.
\n Conformance-levels at this level are defined based on the
type of filter: \n - ALL core filters MUST be supported by
all implementations. - Implementers are encouraged to support
extended filters. - Implementation-specific custom filters
have no API guarantees across implementations. \n Specifying
a core filter multiple times has unspecified or custom conformance.
Support: Core"
items:
description: GRPCRouteFilter defines processing steps that
must be completed during the request or response lifecycle.
GRPCRouteFilters are meant as an extension point to express
processing that may be done in Gateway implementations.
Some examples include request or response modification,
implementing authentication strategies, rate-limiting, and
traffic shaping. API guarantee/conformance is defined based
on the type of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.example.net\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent. For
example, "networking.k8s.io". When unspecified (empty
string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for
a filter that modifies request headers. \n Support:
Core"
properties:
add:
description: "Add adds the given header(s) (name,
value) to the request before the action. It appends
to any existing values associated with the header
name. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: add: - name: \"my-header\" value:
\"bar\" \n Output: GET /foo HTTP/1.1 my-header:
foo my-header: bar"
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case
insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST
be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the
HTTP request before the action. The value of Remove
is a list of HTTP header names. Note that the header
names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
\n Input: GET /foo HTTP/1.1 my-header1: foo
\ my-header2: bar my-header3: baz \n Config:
\ remove: [\"my-header1\", \"my-header3\"] \n Output:
\ GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the
given header (name, value) before the action. \n
Input: GET /foo HTTP/1.1 my-header: foo \n Config:
\ set: - name: \"my-header\" value: \"bar\"
\n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case
insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST
be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter
that mirrors requests. Requests are sent to the specified
destination, but responses from that destination are
ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource where
mirrored requests are sent. \n If the referent cannot
be found, this BackendRef is invalid and must be
dropped from the Gateway. The controller must ensure
the \"ResolvedRefs\" condition on the Route status
is set to `status: False` and not configure this
backend in the underlying implementation. \n If
there is a cross-namespace reference to an *existing*
object that is not allowed by a ReferenceGrant,
the controller must ensure the \"ResolvedRefs\"
\ condition on the Route is set to `status: False`,
with the \"RefNotPermitted\" reason and not configure
this backend in the underlying implementation. \n
In either error case, the Message of the `ResolvedRefs`
Condition should be used to provide more detail
about the problem. \n Support: Extended for Kubernetes
Service \n Support: Custom for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "networking.k8s.io". When unspecified
(empty string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For
example "HTTPRoute" or "Service". Defaults to
"Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the
backend. When unspecified, the local namespace
is inferred. \n Note that when a different namespace
is specified, a ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow
that namespace's owner to accept the reference.
See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port
number to use for this resource. Port is required
when the referent is a Kubernetes Service. In
this case, the port number is the service port
number, not the target port. For other resources,
destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
type:
description: "Type identifies the type of filter to apply.
As with other API fields, types are classified into
three conformance levels: \n - Core: Filter types and
their corresponding configuration defined by \"Support:
Core\" in this package, e.g. \"RequestHeaderModifier\".
All implementations supporting GRPCRoute MUST support
core filters. \n - Extended: Filter types and their
corresponding configuration defined by \"Support:
Extended\" in this package, e.g. \"RequestMirror\".
Implementers are encouraged to support extended filters.
\n - Custom: Filters that are defined and supported
by specific vendors. In the future, filters showing
convergence in behavior across multiple implementations
will be considered for inclusion in extended or core
\ conformance levels. Filter-specific configuration
for such filters is specified using the ExtensionRef
field. `Type` MUST be set to \"ExtensionRef\" for
custom filters. \n Implementers are encouraged to define
custom implementation types to extend the core API with
implementation-specific behavior. \n If a reference
to a custom filter type cannot be resolved, the filter
MUST NOT be skipped. Instead, requests that would have
been processed by that filter MUST receive a HTTP error
response. \n "
enum:
- RequestHeaderModifier
- RequestMirror
- ExtensionRef
type: string
required:
- type
type: object
maxItems: 16
type: array
matches:
default:
- method:
type: Exact
description: "Matches define conditions used for matching the
rule against incoming gRPC requests. Each match is independent,
i.e. this rule will be matched if **any** one of the matches
is satisfied. \n For example, take the following matches configuration:
\n ``` matches: - method: service: foo.bar headers:
\ values: version: 2 - method: service: foo.bar.v2
``` \n For a request to match against this rule, it MUST satisfy
EITHER of the two conditions: \n - service of foo.bar AND
contains the header `version: 2` - service of foo.bar.v2 \n
See the documentation for GRPCRouteMatch on how to specify
multiple match conditions to be ANDed together. \n If no matches
are specified, the implementation MUST match every gRPC request.
\n Proxy or Load Balancer routing configuration generated
from GRPCRoutes MUST prioritize rules based on the following
criteria, continuing on ties. Merging MUST not be done between
GRPCRoutes and HTTPRoutes. Precedence MUST be given to the
rule with the largest number of: \n * Characters in a matching
non-wildcard hostname. * Characters in a matching hostname.
* Characters in a matching service. * Characters in a matching
method. * Header matches. \n If ties still exist across multiple
Routes, matching precedence MUST be determined in order of
the following criteria, continuing on ties: \n * The oldest
Route based on creation timestamp. * The Route appearing first
in alphabetical order by \"{namespace}/{name}\". \n If ties
still exist within the Route that has been given precedence,
matching precedence MUST be granted to the first matching
rule meeting the above criteria."
items:
description: "GRPCRouteMatch defines the predicate used to
match requests to a given action. Multiple match types are
ANDed together, i.e. the match will evaluate to true only
if all conditions are satisfied. \n For example, the match
below will match a gRPC request only if its service is `foo`
AND it contains the `version: v1` header: \n ``` matches:
- method: type: Exact service: \"foo\" headers:
\ - name: \"version\" value \"v1\" ```"
properties:
headers:
description: Headers specifies gRPC request header matchers.
Multiple match values are ANDed together, meaning, a
request MUST match all the specified headers to select
the route.
items:
description: GRPCHeaderMatch describes how to select
a gRPC route by matching gRPC request headers.
properties:
name:
description: "Name is the name of the gRPC Header
to be matched. \n If multiple entries specify
equivalent header names, only the first entry
with an equivalent name MUST be considered for
a match. Subsequent entries with an equivalent
header name MUST be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: Type specifies how to match against
the value of the header.
enum:
- Exact
- RegularExpression
type: string
value:
description: Value is the value of the gRPC Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
method:
default:
type: Exact
description: Path specifies a gRPC request service/method
matcher. If this field is not specified, all services
and methods will match.
properties:
method:
default: ""
description: "Value of the method to match against.
If left empty or omitted, will match all services.
\n At least one of Service and Method MUST be a
non-empty string."
maxLength: 1024
pattern: ^[^\/]*$
type: string
service:
default: ""
description: "Value of the service to match against.
If left empty or omitted, will match all services.
\n At least one of Service and Method MUST be a
non-empty string."
maxLength: 1024
pattern: ^[^\/]*$
type: string
type:
default: Exact
description: "Type specifies how to match against
the service and/or method. Support: Core (Exact
with service and method specified) \n Support Custom
(Exact with method specified but no service specified)
\n Support: Custom (RegularExpression)"
enum:
- Exact
- RegularExpression
type: string
type: object
type: object
maxItems: 8
type: array
type: object
maxItems: 16
type: array
services:
items:
description: "BackendObjectReference defines how an ObjectReference
that is specific to BackendRef. It includes a few additional fields
and features than a regular ObjectReference. \n Note that when
a namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n The API object must be valid in the cluster; the Group and
Kind must be registered in the cluster for this reference to be
valid. \n References to objects with invalid Group and Kind are
not valid, and must be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string), core
API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute"
or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a different namespace is specified, a ReferenceGrant
object with ReferenceGrantTo.Kind=Service is required in the
referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use
for this resource. Port is required when the referent is a
Kubernetes Service. In this case, the port number is the service
port number, not the target port. For other resources, destination
port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
type: array
type: object
status:
description: Status defines the current state of GRPCRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways)
that are associated with the route, and the status of the route
with respect to each parent. When this route attaches to a parent,
the controller that manages the parent must add an entry to this
list when the controller first sees the route and should update
the entry as appropriate when the route or gateway is modified.
\n Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this
API can only populate Route status for the Gateways/parent resources
they are responsible for. \n A maximum of 32 Gateways will be represented
in this list. An empty list means the route has not been attached
to any Gateway."
items:
description: RouteParentStatus describes the status of a route with
respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with
respect to the Gateway. Note that the route's availability
is also subject to the Gateway's own status conditions and
listener status. \n If the Route's ParentRef specifies an
existing Gateway that supports Routes of this kind AND that
Gateway's controller has sufficient access, then that Gateway's
controller MUST set the \"Accepted\" condition on the Route,
to indicate whether the route has been accepted or rejected
by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
if at least one of the Route's rules is implemented by the
Gateway. \n There are a number of cases where the \"Accepted\"
condition may not be set due to lack of controller visibility,
that includes when: \n * The Route refers to a non-existent
parent. * The Route is of a type that the controller does
not support. * The Route is in a namespace the controller
does not have access to."
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates
the name of the controller that wrote this status. This corresponds
with the controllerName field on GatewayClass. \n Example:
\"example.net/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Controllers MUST populate this field when writing status.
Controllers should ensure that entries to status populated
with their ControllerName are cleaned up when they are no
longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec
that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support:
Core (Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent.
When unspecified, this refers to the local namespace of
the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets.
It can be interpreted differently based on the type of
parent resource. \n When the parent resource is a Gateway,
this targets all listeners listening on the specified
port that also support this kind of Route(and select this
Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
both specified values. \n Implementations MAY choose to
support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
an attachment is considered successful as long as the
parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them
by Route kind, namespace, or hostname. If 1 of 2 Gateway
listeners accept attachment from the referencing Route,
the Route MUST be considered successfully attached. If
no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within
the target resource. In the following resources, SectionName
is interpreted as the following: \n * Gateway: Listener
Name. When both Port (experimental) and SectionName are
specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY
choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName
is interpreted. \n When unspecified (empty string), this
will reference the entire resource. For the purpose of
status, an attachment is considered successful if at least
one section in the parent resource accepts it. For example,
Gateway listeners can restrict which Routes can attach
to them by Route kind, namespace, or hostname. If 1 of
2 Gateway listeners accept attachment from the referencing
Route, the Route MUST be considered successfully attached.
If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: httproutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: HTTPRoute
listKind: HTTPRouteList
plural: httproutes
singular: httproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.hostnames
name: Hostnames
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: HTTPRoute provides a way to route HTTP requests. This includes
the capability to match requests by hostname, path, header, or query param.
Filters can be used to specify additional processing steps. Backends specify
where matching requests should be routed.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of HTTPRoute.
properties:
hostnames:
description: "Hostnames defines a set of hostname that should match
against the HTTP Host header to select a HTTPRoute to process the
request. This matches the RFC 1123 definition of a hostname with
2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may
be prefixed with a wildcard label (`*.`). The wildcard label
must appear by itself as the first label. \n If a hostname is specified
by both the Listener and HTTPRoute, there must be at least one intersecting
hostname for the HTTPRoute to be attached to the Listener. For example:
\n * A Listener with `test.example.com` as the hostname matches
HTTPRoutes that have either not specified any hostnames, or have
specified at least one of `test.example.com` or `*.example.com`.
* A Listener with `*.example.com` as the hostname matches HTTPRoutes
\ that have either not specified any hostnames or have specified
at least one hostname that matches the Listener hostname. For
example, `*.example.com`, `test.example.com`, and `foo.test.example.com`
would all match. On the other hand, `example.com` and `test.example.net`
would not match. \n Hostnames that are prefixed with a wildcard
label (`*.`) are interpreted as a suffix match. That means that
a match for `*.example.com` would match both `test.example.com`,
and `foo.test.example.com`, but not `example.com`. \n If both the
Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames
that do not match the Listener hostname MUST be ignored. For example,
if a Listener specified `*.example.com`, and the HTTPRoute specified
`test.example.com` and `test.example.net`, `test.example.net` must
not be considered for a match. \n If both the Listener and HTTPRoute
have specified hostnames, and none match with the criteria above,
then the HTTPRoute is not accepted. The implementation must raise
an 'Accepted' Condition with a status of `False` in the corresponding
RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute
is attached to a Listener and that listener already has another
Route (B) of the other type attached and the intersection of the
hostnames of A and B is non-empty, then the implementation MUST
accept exactly one of these two routes, determined by the following
criteria, in order: \n * The oldest Route based on creation timestamp.
* The Route appearing first in alphabetical order by \"{namespace}/{name}\".
\n The rejected Route MUST raise an 'Accepted' condition with a
status of 'False' in the corresponding RouteParentStatus. \n Support:
Core"
items:
description: "Hostname is the fully qualified domain name of a network
host. This matches the RFC 1123 definition of a hostname with
2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
may be prefixed with a wildcard label (`*.`). The wildcard label
must appear by itself as the first label. \n Hostname can be \"precise\"
which is a domain name without the terminating dot of a network
host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
name prefixed with a single wildcard label (e.g. `*.example.com`).
\n Note that as per RFC1035 and RFC1123, a *label* must consist
of lower case alphanumeric characters or '-', and must start and
end with an alphanumeric character. No other punctuation is allowed."
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
type: array
parentRefs:
description: "ParentRefs references the resources (usually Gateways)
that a Route wants to be attached to. Note that the referenced parent
resource needs to allow this for the attachment to be complete.
For Gateways, that means the Gateway needs to allow attachment from
Routes of this kind and namespace. \n The only kind of parent resource
with \"Core\" support is Gateway. This API may be extended in the
future to support additional kinds of parent resources such as one
of the route kinds. \n It is invalid to reference an identical parent
more than once. It is valid to reference multiple distinct sections
within the same parent resource, such as 2 Listeners within a Gateway.
\n It is possible to separately reference multiple distinct objects
that may be collapsed by an implementation. For example, some implementations
may choose to merge compatible Gateway Listeners together. If that
is the case, the list of routes attached to those resources should
also be merged."
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
a route). The only kind of parent resource with \"Core\" support
is Gateway. This API may be extended in the future to support
additional kinds of parent resources, such as HTTPRoute. \n The
API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core
(Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When
unspecified, this refers to the local namespace of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It
can be interpreted differently based on the type of parent
resource. \n When the parent resource is a Gateway, this targets
all listeners listening on the specified port that also support
this kind of Route(and select this Route). It's not recommended
to set `Port` unless the networking behaviors specified in
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document how/if
Port is interpreted. \n For the purpose of status, an attachment
is considered successful as long as the parent resource accepts
it partially. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the
target resource. In the following resources, SectionName is
interpreted as the following: \n * Gateway: Listener Name.
When both Port (experimental) and SectionName are specified,
the name and port of the selected listener must match both
specified values. \n Implementations MAY choose to support
attaching Routes to other resources. If that is the case,
they MUST clearly document how SectionName is interpreted.
\n When unspecified (empty string), this will reference the
entire resource. For the purpose of status, an attachment
is considered successful if at least one section in the parent
resource accepts it. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
default:
- matches:
- path:
type: PathPrefix
value: /
description: Rules are a list of HTTP matchers, filters and actions.
items:
description: HTTPRouteRule defines semantics for matching an HTTP
request based on conditions (matches), processing it (filters),
and forwarding the request to an API object (backendRefs).
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching
requests should be sent. \n Failure behavior here depends
on how many BackendRefs are specified and how many are invalid.
\n If *all* entries in BackendRefs are invalid, and there
are also no filters specified in this route rule, *all* traffic
which matches this rule MUST receive a 500 status code. \n
See the HTTPBackendRef definition for the rules about what
makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef
is invalid, 500 status codes MUST be returned for requests
that would have otherwise been routed to an invalid backend.
If multiple backends are specified, and some are invalid,
the proportion of requests that would otherwise have been
routed to an invalid backend MUST receive a 500 status code.
\n For example, if two backends are specified with equal weights,
and one is invalid, 50 percent of traffic must receive a 500.
Implementations may choose how that 50 percent is determined.
\n Support: Core for Kubernetes Service \n Support: Custom
for any other resource \n Support for weight: Core"
items:
description: HTTPBackendRef defines how a HTTPRoute should
forward an HTTP request.
properties:
filters:
description: "Filters defined at this level should be
executed if and only if the request is being forwarded
to the backend defined here. \n Support: Custom (For
broader support of filters, use the Filters field in
HTTPRouteRule.)"
items:
description: HTTPRouteFilter defines processing steps
that must be completed during the request or response
lifecycle. HTTPRouteFilters are meant as an extension
point to express processing that may be done in Gateway
implementations. Some examples include request or
response modification, implementing authentication
strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type
of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.example.net\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
For example, "networking.k8s.io". When unspecified
(empty string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For
example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema
for a filter that modifies request headers. \n
Support: Core"
properties:
add:
description: "Add adds the given header(s) (name,
value) to the request before the action. It
appends to any existing values associated
with the header name. \n Input: GET /foo
HTTP/1.1 my-header: foo \n Config: add:
\ - name: \"my-header\" value: \"bar\"
\n Output: GET /foo HTTP/1.1 my-header:
foo my-header: bar"
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
description: "Name is the name of the
HTTP Header to be matched. Name matching
MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an
equivalent name MUST be considered for
a match. Subsequent entries with an
equivalent header name MUST be ignored.
Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP
Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from
the HTTP request before the action. The value
of Remove is a list of HTTP header names.
Note that the header names are case-insensitive
(see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
\n Input: GET /foo HTTP/1.1 my-header1:
foo my-header2: bar my-header3: baz \n
Config: remove: [\"my-header1\", \"my-header3\"]
\n Output: GET /foo HTTP/1.1 my-header2:
bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with
the given header (name, value) before the
action. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: set: - name: \"my-header\"
\ value: \"bar\" \n Output: GET /foo
HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
description: "Name is the name of the
HTTP Header to be matched. Name matching
MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an
equivalent name MUST be considered for
a match. Subsequent entries with an
equivalent header name MUST be ignored.
Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP
Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for
a filter that mirrors requests. Requests are sent
to the specified destination, but responses from
that destination are ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource
where mirrored requests are sent. \n If the
referent cannot be found, this BackendRef
is invalid and must be dropped from the Gateway.
The controller must ensure the \"ResolvedRefs\"
condition on the Route status is set to `status:
False` and not configure this backend in the
underlying implementation. \n If there is
a cross-namespace reference to an *existing*
object that is not allowed by a ReferenceGrant,
the controller must ensure the \"ResolvedRefs\"
\ condition on the Route is set to `status:
False`, with the \"RefNotPermitted\" reason
and not configure this backend in the underlying
implementation. \n In either error case, the
Message of the `ResolvedRefs` Condition should
be used to provide more detail about the problem.
\n Support: Extended for Kubernetes Service
\n Support: Custom for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "networking.k8s.io". When
unspecified (empty string), core API group
is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent.
For example "HTTPRoute" or "Service".
Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace
of the backend. When unspecified, the
local namespace is inferred. \n Note that
when a different namespace is specified,
a ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace
to allow that namespace's owner to accept
the reference. See the ReferenceGrant
documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination
port number to use for this resource.
Port is required when the referent is
a Kubernetes Service. In this case, the
port number is the service port number,
not the target port. For other resources,
destination port might be derived from
the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
requestRedirect:
description: "RequestRedirect defines a schema for
a filter that responds to the request with an
HTTP redirection. \n Support: Core"
properties:
hostname:
description: "Hostname is the hostname to be
used in the value of the `Location` header
in the response. When empty, the hostname
of the request is used. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines parameters used to
modify the path of the incoming request. The
modified path is then used to construct the
`Location` header. When empty, the request
path is used as-is. \n Support: Extended \n
<gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies
the value with which to replace the full
path of a request during a rewrite or
redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies
the value with which to replace the prefix
match of a request during a rewrite or
redirect. For example, a request to \"/foo/bar\"
with a prefix match of \"/foo\" would
be modified to \"/bar\". \n Note that
this matches the behavior of the PathPrefix
match type. This matches full path elements.
A path element refers to the list of labels
in the path split by the `/` separator.
When specified, a trailing `/` is ignored.
For example, the paths `/abc`, `/abc/`,
and `/abc/def` would all match the prefix
`/abc`, but the path `/abcd` would not.
\n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path
modifier. Additional types may be added
in a future release of the API. \n Note
that values may be added to this enum,
implementations must ensure that unknown
values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the
Route to `status: False`, with a Reason
of `UnsupportedValue`. \n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
port:
description: "Port is the port to be used in
the value of the `Location` header in the
response. When empty, port (if specified)
of the request is used. \n Support: Extended"
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
description: "Scheme is the scheme to be used
in the value of the `Location` header in the
response. When empty, the scheme of the request
is used. \n Support: Extended \n Note that
values may be added to this enum, implementations
must ensure that unknown values will not cause
a crash. \n Unknown values here must result
in the implementation setting the Attached
Condition for the Route to `status: False`,
with a Reason of `UnsupportedValue`."
enum:
- http
- https
type: string
statusCode:
default: 302
description: "StatusCode is the HTTP status
code to be used in response. \n Support: Core
\n Note that values may be added to this enum,
implementations must ensure that unknown values
will not cause a crash. \n Unknown values
here must result in the implementation setting
the Attached Condition for the Route to `status:
False`, with a Reason of `UnsupportedValue`."
enum:
- 301
- 302
type: integer
type: object
type:
description: "Type identifies the type of filter
to apply. As with other API fields, types are
classified into three conformance levels: \n -
Core: Filter types and their corresponding configuration
defined by \"Support: Core\" in this package,
e.g. \"RequestHeaderModifier\". All implementations
must support core filters. \n - Extended: Filter
types and their corresponding configuration defined
by \"Support: Extended\" in this package, e.g.
\"RequestMirror\". Implementers are encouraged
to support extended filters. \n - Custom: Filters
that are defined and supported by specific vendors.
\ In the future, filters showing convergence
in behavior across multiple implementations
will be considered for inclusion in extended or
core conformance levels. Filter-specific configuration
for such filters is specified using the ExtensionRef
field. `Type` should be set to \"ExtensionRef\"
for custom filters. \n Implementers are encouraged
to define custom implementation types to extend
the core API with implementation-specific behavior.
\n If a reference to a custom filter type cannot
be resolved, the filter MUST NOT be skipped. Instead,
requests that would have been processed by that
filter MUST receive a HTTP error response. \n
Note that values may be added to this enum, implementations
must ensure that unknown values will not cause
a crash. \n Unknown values here must result in
the implementation setting the Attached Condition
for the Route to `status: False`, with a Reason
of `UnsupportedValue`. \n "
enum:
- RequestHeaderModifier
- RequestMirror
- RequestRedirect
- URLRewrite
- ExtensionRef
type: string
urlRewrite:
description: "URLRewrite defines a schema for a
filter that modifies a request during forwarding.
\n Support: Extended \n <gateway:experimental>"
properties:
hostname:
description: "Hostname is the value to be used
to replace the Host header value during forwarding.
\n Support: Extended \n <gateway:experimental>"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines a path rewrite. \n
Support: Extended \n <gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies
the value with which to replace the full
path of a request during a rewrite or
redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies
the value with which to replace the prefix
match of a request during a rewrite or
redirect. For example, a request to \"/foo/bar\"
with a prefix match of \"/foo\" would
be modified to \"/bar\". \n Note that
this matches the behavior of the PathPrefix
match type. This matches full path elements.
A path element refers to the list of labels
in the path split by the `/` separator.
When specified, a trailing `/` is ignored.
For example, the paths `/abc`, `/abc/`,
and `/abc/def` would all match the prefix
`/abc`, but the path `/abcd` would not.
\n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path
modifier. Additional types may be added
in a future release of the API. \n Note
that values may be added to this enum,
implementations must ensure that unknown
values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the
Route to `status: False`, with a Reason
of `UnsupportedValue`. \n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
type: object
required:
- type
type: object
maxItems: 16
type: array
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string),
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service". Defaults to "Service" when
not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred. \n
Note that when a different namespace is specified, a
ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number
to use for this resource. Port is required when the
referent is a Kubernetes Service. In this case, the
port number is the service port number, not the target
port. For other resources, destination port might be
derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests
forwarded to the referenced backend. This is computed
as weight/(sum of all weights in this BackendRefs list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support for this field varies based
on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
type: array
filters:
description: "Filters define the filters that are applied to
requests that match this rule. \n The effects of ordering
of multiple behaviors are currently unspecified. This can
change in the future based on feedback during the alpha stage.
\n Conformance-levels at this level are defined based on the
type of filter: \n - ALL core filters MUST be supported by
all implementations. - Implementers are encouraged to support
extended filters. - Implementation-specific custom filters
have no API guarantees across implementations. \n Specifying
a core filter multiple times has unspecified or custom conformance.
\n All filters are expected to be compatible with each other
except for the URLRewrite and RequestRedirect filters, which
may not be combined. If an implementation can not support
other combinations of filters, they must clearly document
that limitation. In all cases where incompatible or unsupported
filters are specified, implementations MUST add a warning
condition to status. \n Support: Core"
items:
description: HTTPRouteFilter defines processing steps that
must be completed during the request or response lifecycle.
HTTPRouteFilters are meant as an extension point to express
processing that may be done in Gateway implementations.
Some examples include request or response modification,
implementing authentication strategies, rate-limiting, and
traffic shaping. API guarantee/conformance is defined based
on the type of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.example.net\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent. For
example, "networking.k8s.io". When unspecified (empty
string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for
a filter that modifies request headers. \n Support:
Core"
properties:
add:
description: "Add adds the given header(s) (name,
value) to the request before the action. It appends
to any existing values associated with the header
name. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: add: - name: \"my-header\" value:
\"bar\" \n Output: GET /foo HTTP/1.1 my-header:
foo my-header: bar"
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case
insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST
be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the
HTTP request before the action. The value of Remove
is a list of HTTP header names. Note that the header
names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
\n Input: GET /foo HTTP/1.1 my-header1: foo
\ my-header2: bar my-header3: baz \n Config:
\ remove: [\"my-header1\", \"my-header3\"] \n Output:
\ GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the
given header (name, value) before the action. \n
Input: GET /foo HTTP/1.1 my-header: foo \n Config:
\ set: - name: \"my-header\" value: \"bar\"
\n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case
insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST
be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter
that mirrors requests. Requests are sent to the specified
destination, but responses from that destination are
ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource where
mirrored requests are sent. \n If the referent cannot
be found, this BackendRef is invalid and must be
dropped from the Gateway. The controller must ensure
the \"ResolvedRefs\" condition on the Route status
is set to `status: False` and not configure this
backend in the underlying implementation. \n If
there is a cross-namespace reference to an *existing*
object that is not allowed by a ReferenceGrant,
the controller must ensure the \"ResolvedRefs\"
\ condition on the Route is set to `status: False`,
with the \"RefNotPermitted\" reason and not configure
this backend in the underlying implementation. \n
In either error case, the Message of the `ResolvedRefs`
Condition should be used to provide more detail
about the problem. \n Support: Extended for Kubernetes
Service \n Support: Custom for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "networking.k8s.io". When unspecified
(empty string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For
example "HTTPRoute" or "Service". Defaults to
"Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the
backend. When unspecified, the local namespace
is inferred. \n Note that when a different namespace
is specified, a ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow
that namespace's owner to accept the reference.
See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port
number to use for this resource. Port is required
when the referent is a Kubernetes Service. In
this case, the port number is the service port
number, not the target port. For other resources,
destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
requestRedirect:
description: "RequestRedirect defines a schema for a filter
that responds to the request with an HTTP redirection.
\n Support: Core"
properties:
hostname:
description: "Hostname is the hostname to be used
in the value of the `Location` header in the response.
When empty, the hostname of the request is used.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines parameters used to modify
the path of the incoming request. The modified path
is then used to construct the `Location` header.
When empty, the request path is used as-is. \n Support:
Extended \n <gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies the value
with which to replace the full path of a request
during a rewrite or redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies the
value with which to replace the prefix match
of a request during a rewrite or redirect. For
example, a request to \"/foo/bar\" with a prefix
match of \"/foo\" would be modified to \"/bar\".
\n Note that this matches the behavior of the
PathPrefix match type. This matches full path
elements. A path element refers to the list
of labels in the path split by the `/` separator.
When specified, a trailing `/` is ignored. For
example, the paths `/abc`, `/abc/`, and `/abc/def`
would all match the prefix `/abc`, but the path
`/abcd` would not. \n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path modifier.
Additional types may be added in a future release
of the API. \n Note that values may be added
to this enum, implementations must ensure that
unknown values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the Route
to `status: False`, with a Reason of `UnsupportedValue`.
\n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
port:
description: "Port is the port to be used in the value
of the `Location` header in the response. When empty,
port (if specified) of the request is used. \n Support:
Extended"
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
description: "Scheme is the scheme to be used in the
value of the `Location` header in the response.
When empty, the scheme of the request is used. \n
Support: Extended \n Note that values may be added
to this enum, implementations must ensure that unknown
values will not cause a crash. \n Unknown values
here must result in the implementation setting the
Attached Condition for the Route to `status: False`,
with a Reason of `UnsupportedValue`."
enum:
- http
- https
type: string
statusCode:
default: 302
description: "StatusCode is the HTTP status code to
be used in response. \n Support: Core \n Note that
values may be added to this enum, implementations
must ensure that unknown values will not cause a
crash. \n Unknown values here must result in the
implementation setting the Attached Condition for
the Route to `status: False`, with a Reason of `UnsupportedValue`."
enum:
- 301
- 302
type: integer
type: object
type:
description: "Type identifies the type of filter to apply.
As with other API fields, types are classified into
three conformance levels: \n - Core: Filter types and
their corresponding configuration defined by \"Support:
Core\" in this package, e.g. \"RequestHeaderModifier\".
All implementations must support core filters. \n
- Extended: Filter types and their corresponding configuration
defined by \"Support: Extended\" in this package,
e.g. \"RequestMirror\". Implementers are encouraged
to support extended filters. \n - Custom: Filters that
are defined and supported by specific vendors. In
the future, filters showing convergence in behavior
across multiple implementations will be considered
for inclusion in extended or core conformance levels.
Filter-specific configuration for such filters is
specified using the ExtensionRef field. `Type` should
be set to \"ExtensionRef\" for custom filters. \n
Implementers are encouraged to define custom implementation
types to extend the core API with implementation-specific
behavior. \n If a reference to a custom filter type
cannot be resolved, the filter MUST NOT be skipped.
Instead, requests that would have been processed by
that filter MUST receive a HTTP error response. \n Note
that values may be added to this enum, implementations
must ensure that unknown values will not cause a crash.
\n Unknown values here must result in the implementation
setting the Attached Condition for the Route to `status:
False`, with a Reason of `UnsupportedValue`. \n "
enum:
- RequestHeaderModifier
- RequestMirror
- RequestRedirect
- URLRewrite
- ExtensionRef
type: string
urlRewrite:
description: "URLRewrite defines a schema for a filter
that modifies a request during forwarding. \n Support:
Extended \n <gateway:experimental>"
properties:
hostname:
description: "Hostname is the value to be used to
replace the Host header value during forwarding.
\n Support: Extended \n <gateway:experimental>"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines a path rewrite. \n Support:
Extended \n <gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies the value
with which to replace the full path of a request
during a rewrite or redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies the
value with which to replace the prefix match
of a request during a rewrite or redirect. For
example, a request to \"/foo/bar\" with a prefix
match of \"/foo\" would be modified to \"/bar\".
\n Note that this matches the behavior of the
PathPrefix match type. This matches full path
elements. A path element refers to the list
of labels in the path split by the `/` separator.
When specified, a trailing `/` is ignored. For
example, the paths `/abc`, `/abc/`, and `/abc/def`
would all match the prefix `/abc`, but the path
`/abcd` would not. \n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path modifier.
Additional types may be added in a future release
of the API. \n Note that values may be added
to this enum, implementations must ensure that
unknown values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the Route
to `status: False`, with a Reason of `UnsupportedValue`.
\n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
type: object
required:
- type
type: object
maxItems: 16
type: array
matches:
default:
- path:
type: PathPrefix
value: /
description: "Matches define conditions used for matching the
rule against incoming HTTP requests. Each match is independent,
i.e. this rule will be matched if **any** one of the matches
is satisfied. \n For example, take the following matches configuration:
\n ``` matches: - path: value: \"/foo\" headers: -
name: \"version\" value: \"v2\" - path: value: \"/v2/foo\"
``` \n For a request to match against this rule, a request
must satisfy EITHER of the two conditions: \n - path prefixed
with `/foo` AND contains the header `version: v2` - path prefix
of `/v2/foo` \n See the documentation for HTTPRouteMatch on
how to specify multiple match conditions that should be ANDed
together. \n If no matches are specified, the default is a
prefix path match on \"/\", which has the effect of matching
every HTTP request. \n Proxy or Load Balancer routing configuration
generated from HTTPRoutes MUST prioritize rules based on the
following criteria, continuing on ties. Precedence must be
given to the Rule with the largest number of: \n * Characters
in a matching non-wildcard hostname. * Characters in a matching
hostname. * Characters in a matching path. * Header matches.
* Query param matches. \n If ties still exist across multiple
Routes, matching precedence MUST be determined in order of
the following criteria, continuing on ties: \n * The oldest
Route based on creation timestamp. * The Route appearing first
in alphabetical order by \"{namespace}/{name}\". \n If ties
still exist within the Route that has been given precedence,
matching precedence MUST be granted to the first matching
rule meeting the above criteria. \n When no rules matching
a request have been successfully attached to the parent a
request is coming from, a HTTP 404 status code MUST be returned."
items:
description: "HTTPRouteMatch defines the predicate used to
match requests to a given action. Multiple match types are
ANDed together, i.e. the match will evaluate to true only
if all conditions are satisfied. \n For example, the match
below will match a HTTP request only if its path starts
with `/foo` AND it contains the `version: v1` header: \n
``` match: path: value: \"/foo\" headers: - name:
\"version\" value \"v1\" ```"
properties:
headers:
description: Headers specifies HTTP request header matchers.
Multiple match values are ANDed together, meaning, a
request must match all the specified headers to select
the route.
items:
description: HTTPHeaderMatch describes how to select
a HTTP route by matching HTTP request headers.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case insensitive.
(See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent header
names, only the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST be
ignored. Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered equivalent.
\n When a header is repeated in an HTTP request,
it is implementation-specific behavior as to how
this is represented. Generally, proxies should
follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2
regarding processing a repeated header, with special
handling for \"Set-Cookie\"."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: "Type specifies how to match against
the value of the header. \n Support: Core (Exact)
\n Support: Custom (RegularExpression) \n Since
RegularExpression HeaderMatchType has custom conformance,
implementations can support POSIX, PCRE or any
other dialects of regular expressions. Please
read the implementation's documentation to determine
the supported dialect."
enum:
- Exact
- RegularExpression
type: string
value:
description: Value is the value of HTTP Header to
be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
method:
description: "Method specifies HTTP method matcher. When
specified, this route will be matched only if the request
has the specified method. \n Support: Extended"
enum:
- GET
- HEAD
- POST
- PUT
- DELETE
- CONNECT
- OPTIONS
- TRACE
- PATCH
type: string
path:
default:
type: PathPrefix
value: /
description: Path specifies a HTTP request path matcher.
If this field is not specified, a default prefix match
on the "/" path is provided.
properties:
type:
default: PathPrefix
description: "Type specifies how to match against
the path Value. \n Support: Core (Exact, PathPrefix)
\n Support: Custom (RegularExpression)"
enum:
- Exact
- PathPrefix
- RegularExpression
type: string
value:
default: /
description: Value of the HTTP path to match against.
maxLength: 1024
type: string
type: object
queryParams:
description: QueryParams specifies HTTP query parameter
matchers. Multiple match values are ANDed together,
meaning, a request must match all the specified query
parameters to select the route.
items:
description: HTTPQueryParamMatch describes how to select
a HTTP route by matching HTTP query parameters.
properties:
name:
description: "Name is the name of the HTTP query
param to be matched. This must be an exact string
match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
\n If multiple entries specify equivalent query
param names, only the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent query param name MUST
be ignored."
maxLength: 256
minLength: 1
type: string
type:
default: Exact
description: "Type specifies how to match against
the value of the query parameter. \n Support:
Extended (Exact) \n Support: Custom (RegularExpression)
\n Since RegularExpression QueryParamMatchType
has custom conformance, implementations can support
POSIX, PCRE or any other dialects of regular expressions.
Please read the implementation's documentation
to determine the supported dialect."
enum:
- Exact
- RegularExpression
type: string
value:
description: Value is the value of HTTP query param
to be matched.
maxLength: 1024
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 16
type: array
services:
items:
description: "BackendObjectReference defines how an ObjectReference
that is specific to BackendRef. It includes a few additional fields
and features than a regular ObjectReference. \n Note that when
a namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n The API object must be valid in the cluster; the Group and
Kind must be registered in the cluster for this reference to be
valid. \n References to objects with invalid Group and Kind are
not valid, and must be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string), core
API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute"
or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a different namespace is specified, a ReferenceGrant
object with ReferenceGrantTo.Kind=Service is required in the
referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use
for this resource. Port is required when the referent is a
Kubernetes Service. In this case, the port number is the service
port number, not the target port. For other resources, destination
port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
type: array
type: object
status:
description: Status defines the current state of HTTPRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways)
that are associated with the route, and the status of the route
with respect to each parent. When this route attaches to a parent,
the controller that manages the parent must add an entry to this
list when the controller first sees the route and should update
the entry as appropriate when the route or gateway is modified.
\n Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this
API can only populate Route status for the Gateways/parent resources
they are responsible for. \n A maximum of 32 Gateways will be represented
in this list. An empty list means the route has not been attached
to any Gateway."
items:
description: RouteParentStatus describes the status of a route with
respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with
respect to the Gateway. Note that the route's availability
is also subject to the Gateway's own status conditions and
listener status. \n If the Route's ParentRef specifies an
existing Gateway that supports Routes of this kind AND that
Gateway's controller has sufficient access, then that Gateway's
controller MUST set the \"Accepted\" condition on the Route,
to indicate whether the route has been accepted or rejected
by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
if at least one of the Route's rules is implemented by the
Gateway. \n There are a number of cases where the \"Accepted\"
condition may not be set due to lack of controller visibility,
that includes when: \n * The Route refers to a non-existent
parent. * The Route is of a type that the controller does
not support. * The Route is in a namespace the controller
does not have access to."
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates
the name of the controller that wrote this status. This corresponds
with the controllerName field on GatewayClass. \n Example:
\"example.net/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Controllers MUST populate this field when writing status.
Controllers should ensure that entries to status populated
with their ControllerName are cleaned up when they are no
longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec
that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support:
Core (Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent.
When unspecified, this refers to the local namespace of
the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets.
It can be interpreted differently based on the type of
parent resource. \n When the parent resource is a Gateway,
this targets all listeners listening on the specified
port that also support this kind of Route(and select this
Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
both specified values. \n Implementations MAY choose to
support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
an attachment is considered successful as long as the
parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them
by Route kind, namespace, or hostname. If 1 of 2 Gateway
listeners accept attachment from the referencing Route,
the Route MUST be considered successfully attached. If
no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within
the target resource. In the following resources, SectionName
is interpreted as the following: \n * Gateway: Listener
Name. When both Port (experimental) and SectionName are
specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY
choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName
is interpreted. \n When unspecified (empty string), this
will reference the entire resource. For the purpose of
status, an attachment is considered successful if at least
one section in the parent resource accepts it. For example,
Gateway listeners can restrict which Routes can attach
to them by Route kind, namespace, or hostname. If 1 of
2 Gateway listeners accept attachment from the referencing
Route, the Route MUST be considered successfully attached.
If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.hostnames
name: Hostnames
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: HTTPRoute provides a way to route HTTP requests. This includes
the capability to match requests by hostname, path, header, or query param.
Filters can be used to specify additional processing steps. Backends specify
where matching requests should be routed.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of HTTPRoute.
properties:
hostnames:
description: "Hostnames defines a set of hostname that should match
against the HTTP Host header to select a HTTPRoute to process the
request. This matches the RFC 1123 definition of a hostname with
2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may
be prefixed with a wildcard label (`*.`). The wildcard label
must appear by itself as the first label. \n If a hostname is specified
by both the Listener and HTTPRoute, there must be at least one intersecting
hostname for the HTTPRoute to be attached to the Listener. For example:
\n * A Listener with `test.example.com` as the hostname matches
HTTPRoutes that have either not specified any hostnames, or have
specified at least one of `test.example.com` or `*.example.com`.
* A Listener with `*.example.com` as the hostname matches HTTPRoutes
\ that have either not specified any hostnames or have specified
at least one hostname that matches the Listener hostname. For
example, `*.example.com`, `test.example.com`, and `foo.test.example.com`
would all match. On the other hand, `example.com` and `test.example.net`
would not match. \n Hostnames that are prefixed with a wildcard
label (`*.`) are interpreted as a suffix match. That means that
a match for `*.example.com` would match both `test.example.com`,
and `foo.test.example.com`, but not `example.com`. \n If both the
Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames
that do not match the Listener hostname MUST be ignored. For example,
if a Listener specified `*.example.com`, and the HTTPRoute specified
`test.example.com` and `test.example.net`, `test.example.net` must
not be considered for a match. \n If both the Listener and HTTPRoute
have specified hostnames, and none match with the criteria above,
then the HTTPRoute is not accepted. The implementation must raise
an 'Accepted' Condition with a status of `False` in the corresponding
RouteParentStatus. \n Support: Core"
items:
description: "Hostname is the fully qualified domain name of a network
host. This matches the RFC 1123 definition of a hostname with
2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
may be prefixed with a wildcard label (`*.`). The wildcard label
must appear by itself as the first label. \n Hostname can be \"precise\"
which is a domain name without the terminating dot of a network
host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
name prefixed with a single wildcard label (e.g. `*.example.com`).
\n Note that as per RFC1035 and RFC1123, a *label* must consist
of lower case alphanumeric characters or '-', and must start and
end with an alphanumeric character. No other punctuation is allowed."
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
type: array
parentRefs:
description: "ParentRefs references the resources (usually Gateways)
that a Route wants to be attached to. Note that the referenced parent
resource needs to allow this for the attachment to be complete.
For Gateways, that means the Gateway needs to allow attachment from
Routes of this kind and namespace. \n The only kind of parent resource
with \"Core\" support is Gateway. This API may be extended in the
future to support additional kinds of parent resources such as one
of the route kinds. \n It is invalid to reference an identical parent
more than once. It is valid to reference multiple distinct sections
within the same parent resource, such as 2 Listeners within a Gateway.
\n It is possible to separately reference multiple distinct objects
that may be collapsed by an implementation. For example, some implementations
may choose to merge compatible Gateway Listeners together. If that
is the case, the list of routes attached to those resources should
also be merged."
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
a route). The only kind of parent resource with \"Core\" support
is Gateway. This API may be extended in the future to support
additional kinds of parent resources, such as HTTPRoute. \n The
API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core
(Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When
unspecified, this refers to the local namespace of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It
can be interpreted differently based on the type of parent
resource. \n When the parent resource is a Gateway, this targets
all listeners listening on the specified port that also support
this kind of Route(and select this Route). It's not recommended
to set `Port` unless the networking behaviors specified in
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document how/if
Port is interpreted. \n For the purpose of status, an attachment
is considered successful as long as the parent resource accepts
it partially. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the
target resource. In the following resources, SectionName is
interpreted as the following: \n * Gateway: Listener Name.
When both Port (experimental) and SectionName are specified,
the name and port of the selected listener must match both
specified values. \n Implementations MAY choose to support
attaching Routes to other resources. If that is the case,
they MUST clearly document how SectionName is interpreted.
\n When unspecified (empty string), this will reference the
entire resource. For the purpose of status, an attachment
is considered successful if at least one section in the parent
resource accepts it. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
default:
- matches:
- path:
type: PathPrefix
value: /
description: Rules are a list of HTTP matchers, filters and actions.
items:
description: HTTPRouteRule defines semantics for matching an HTTP
request based on conditions (matches), processing it (filters),
and forwarding the request to an API object (backendRefs).
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching
requests should be sent. \n Failure behavior here depends
on how many BackendRefs are specified and how many are invalid.
\n If *all* entries in BackendRefs are invalid, and there
are also no filters specified in this route rule, *all* traffic
which matches this rule MUST receive a 500 status code. \n
See the HTTPBackendRef definition for the rules about what
makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef
is invalid, 500 status codes MUST be returned for requests
that would have otherwise been routed to an invalid backend.
If multiple backends are specified, and some are invalid,
the proportion of requests that would otherwise have been
routed to an invalid backend MUST receive a 500 status code.
\n For example, if two backends are specified with equal weights,
and one is invalid, 50 percent of traffic must receive a 500.
Implementations may choose how that 50 percent is determined.
\n Support: Core for Kubernetes Service \n Support: Custom
for any other resource \n Support for weight: Core"
items:
description: HTTPBackendRef defines how a HTTPRoute should
forward an HTTP request.
properties:
filters:
description: "Filters defined at this level should be
executed if and only if the request is being forwarded
to the backend defined here. \n Support: Custom (For
broader support of filters, use the Filters field in
HTTPRouteRule.)"
items:
description: HTTPRouteFilter defines processing steps
that must be completed during the request or response
lifecycle. HTTPRouteFilters are meant as an extension
point to express processing that may be done in Gateway
implementations. Some examples include request or
response modification, implementing authentication
strategies, rate-limiting, and traffic shaping. API
guarantee/conformance is defined based on the type
of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.example.net\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent.
For example, "networking.k8s.io". When unspecified
(empty string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For
example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema
for a filter that modifies request headers. \n
Support: Core"
properties:
add:
description: "Add adds the given header(s) (name,
value) to the request before the action. It
appends to any existing values associated
with the header name. \n Input: GET /foo
HTTP/1.1 my-header: foo \n Config: add:
\ - name: \"my-header\" value: \"bar\"
\n Output: GET /foo HTTP/1.1 my-header:
foo my-header: bar"
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
description: "Name is the name of the
HTTP Header to be matched. Name matching
MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an
equivalent name MUST be considered for
a match. Subsequent entries with an
equivalent header name MUST be ignored.
Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP
Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from
the HTTP request before the action. The value
of Remove is a list of HTTP header names.
Note that the header names are case-insensitive
(see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
\n Input: GET /foo HTTP/1.1 my-header1:
foo my-header2: bar my-header3: baz \n
Config: remove: [\"my-header1\", \"my-header3\"]
\n Output: GET /foo HTTP/1.1 my-header2:
bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with
the given header (name, value) before the
action. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: set: - name: \"my-header\"
\ value: \"bar\" \n Output: GET /foo
HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
description: "Name is the name of the
HTTP Header to be matched. Name matching
MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an
equivalent name MUST be considered for
a match. Subsequent entries with an
equivalent header name MUST be ignored.
Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP
Header to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for
a filter that mirrors requests. Requests are sent
to the specified destination, but responses from
that destination are ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource
where mirrored requests are sent. \n If the
referent cannot be found, this BackendRef
is invalid and must be dropped from the Gateway.
The controller must ensure the \"ResolvedRefs\"
condition on the Route status is set to `status:
False` and not configure this backend in the
underlying implementation. \n If there is
a cross-namespace reference to an *existing*
object that is not allowed by a ReferenceGrant,
the controller must ensure the \"ResolvedRefs\"
\ condition on the Route is set to `status:
False`, with the \"RefNotPermitted\" reason
and not configure this backend in the underlying
implementation. \n In either error case, the
Message of the `ResolvedRefs` Condition should
be used to provide more detail about the problem.
\n Support: Extended for Kubernetes Service
\n Support: Custom for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "networking.k8s.io". When
unspecified (empty string), core API group
is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent.
For example "HTTPRoute" or "Service".
Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace
of the backend. When unspecified, the
local namespace is inferred. \n Note that
when a namespace is specified, a ReferenceGrant
object is required in the referent namespace
to allow that namespace's owner to accept
the reference. See the ReferenceGrant
documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination
port number to use for this resource.
Port is required when the referent is
a Kubernetes Service. In this case, the
port number is the service port number,
not the target port. For other resources,
destination port might be derived from
the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
requestRedirect:
description: "RequestRedirect defines a schema for
a filter that responds to the request with an
HTTP redirection. \n Support: Core"
properties:
hostname:
description: "Hostname is the hostname to be
used in the value of the `Location` header
in the response. When empty, the hostname
of the request is used. \n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines parameters used to
modify the path of the incoming request. The
modified path is then used to construct the
`Location` header. When empty, the request
path is used as-is. \n Support: Extended \n
<gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies
the value with which to replace the full
path of a request during a rewrite or
redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies
the value with which to replace the prefix
match of a request during a rewrite or
redirect. For example, a request to \"/foo/bar\"
with a prefix match of \"/foo\" would
be modified to \"/bar\". \n Note that
this matches the behavior of the PathPrefix
match type. This matches full path elements.
A path element refers to the list of labels
in the path split by the `/` separator.
When specified, a trailing `/` is ignored.
For example, the paths `/abc`, `/abc/`,
and `/abc/def` would all match the prefix
`/abc`, but the path `/abcd` would not.
\n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path
modifier. Additional types may be added
in a future release of the API. \n Note
that values may be added to this enum,
implementations must ensure that unknown
values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the
Route to `status: False`, with a Reason
of `UnsupportedValue`. \n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
port:
description: "Port is the port to be used in
the value of the `Location` header in the
response. When empty, port (if specified)
of the request is used. \n Support: Extended"
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
description: "Scheme is the scheme to be used
in the value of the `Location` header in the
response. When empty, the scheme of the request
is used. \n Support: Extended \n Note that
values may be added to this enum, implementations
must ensure that unknown values will not cause
a crash. \n Unknown values here must result
in the implementation setting the Attached
Condition for the Route to `status: False`,
with a Reason of `UnsupportedValue`."
enum:
- http
- https
type: string
statusCode:
default: 302
description: "StatusCode is the HTTP status
code to be used in response. \n Support: Core
\n Note that values may be added to this enum,
implementations must ensure that unknown values
will not cause a crash. \n Unknown values
here must result in the implementation setting
the Attached Condition for the Route to `status:
False`, with a Reason of `UnsupportedValue`."
enum:
- 301
- 302
type: integer
type: object
type:
description: "Type identifies the type of filter
to apply. As with other API fields, types are
classified into three conformance levels: \n -
Core: Filter types and their corresponding configuration
defined by \"Support: Core\" in this package,
e.g. \"RequestHeaderModifier\". All implementations
must support core filters. \n - Extended: Filter
types and their corresponding configuration defined
by \"Support: Extended\" in this package, e.g.
\"RequestMirror\". Implementers are encouraged
to support extended filters. \n - Custom: Filters
that are defined and supported by specific vendors.
\ In the future, filters showing convergence
in behavior across multiple implementations
will be considered for inclusion in extended or
core conformance levels. Filter-specific configuration
for such filters is specified using the ExtensionRef
field. `Type` should be set to \"ExtensionRef\"
for custom filters. \n Implementers are encouraged
to define custom implementation types to extend
the core API with implementation-specific behavior.
\n If a reference to a custom filter type cannot
be resolved, the filter MUST NOT be skipped. Instead,
requests that would have been processed by that
filter MUST receive a HTTP error response. \n
Note that values may be added to this enum, implementations
must ensure that unknown values will not cause
a crash. \n Unknown values here must result in
the implementation setting the Attached Condition
for the Route to `status: False`, with a Reason
of `UnsupportedValue`. \n "
enum:
- RequestHeaderModifier
- RequestMirror
- RequestRedirect
- URLRewrite
- ExtensionRef
type: string
urlRewrite:
description: "URLRewrite defines a schema for a
filter that modifies a request during forwarding.
\n Support: Extended \n <gateway:experimental>"
properties:
hostname:
description: "Hostname is the value to be used
to replace the Host header value during forwarding.
\n Support: Extended \n <gateway:experimental>"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines a path rewrite. \n
Support: Extended \n <gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies
the value with which to replace the full
path of a request during a rewrite or
redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies
the value with which to replace the prefix
match of a request during a rewrite or
redirect. For example, a request to \"/foo/bar\"
with a prefix match of \"/foo\" would
be modified to \"/bar\". \n Note that
this matches the behavior of the PathPrefix
match type. This matches full path elements.
A path element refers to the list of labels
in the path split by the `/` separator.
When specified, a trailing `/` is ignored.
For example, the paths `/abc`, `/abc/`,
and `/abc/def` would all match the prefix
`/abc`, but the path `/abcd` would not.
\n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path
modifier. Additional types may be added
in a future release of the API. \n Note
that values may be added to this enum,
implementations must ensure that unknown
values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the
Route to `status: False`, with a Reason
of `UnsupportedValue`. \n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
type: object
required:
- type
type: object
maxItems: 16
type: array
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string),
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service". Defaults to "Service" when
not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred. \n
Note that when a namespace is specified, a ReferenceGrant
object is required in the referent namespace to allow
that namespace's owner to accept the reference. See
the ReferenceGrant documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number
to use for this resource. Port is required when the
referent is a Kubernetes Service. In this case, the
port number is the service port number, not the target
port. For other resources, destination port might be
derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests
forwarded to the referenced backend. This is computed
as weight/(sum of all weights in this BackendRefs list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support for this field varies based
on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
type: array
filters:
description: "Filters define the filters that are applied to
requests that match this rule. \n The effects of ordering
of multiple behaviors are currently unspecified. This can
change in the future based on feedback during the alpha stage.
\n Conformance-levels at this level are defined based on the
type of filter: \n - ALL core filters MUST be supported by
all implementations. - Implementers are encouraged to support
extended filters. - Implementation-specific custom filters
have no API guarantees across implementations. \n Specifying
a core filter multiple times has unspecified or custom conformance.
\n All filters are expected to be compatible with each other
except for the URLRewrite and RequestRedirect filters, which
may not be combined. If an implementation can not support
other combinations of filters, they must clearly document
that limitation. In all cases where incompatible or unsupported
filters are specified, implementations MUST add a warning
condition to status. \n Support: Core"
items:
description: HTTPRouteFilter defines processing steps that
must be completed during the request or response lifecycle.
HTTPRouteFilters are meant as an extension point to express
processing that may be done in Gateway implementations.
Some examples include request or response modification,
implementing authentication strategies, rate-limiting, and
traffic shaping. API guarantee/conformance is defined based
on the type of the filter.
properties:
extensionRef:
description: "ExtensionRef is an optional, implementation-specific
extension to the \"filter\" behavior. For example,
resource \"myroutefilter\" in group \"networking.example.net\").
ExtensionRef MUST NOT be used for core and extended
filters. \n Support: Implementation-specific"
properties:
group:
description: Group is the group of the referent. For
example, "networking.k8s.io". When unspecified (empty
string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
requestHeaderModifier:
description: "RequestHeaderModifier defines a schema for
a filter that modifies request headers. \n Support:
Core"
properties:
add:
description: "Add adds the given header(s) (name,
value) to the request before the action. It appends
to any existing values associated with the header
name. \n Input: GET /foo HTTP/1.1 my-header:
foo \n Config: add: - name: \"my-header\" value:
\"bar\" \n Output: GET /foo HTTP/1.1 my-header:
foo my-header: bar"
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case
insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST
be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
description: "Remove the given header(s) from the
HTTP request before the action. The value of Remove
is a list of HTTP header names. Note that the header
names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
\n Input: GET /foo HTTP/1.1 my-header1: foo
\ my-header2: bar my-header3: baz \n Config:
\ remove: [\"my-header1\", \"my-header3\"] \n Output:
\ GET /foo HTTP/1.1 my-header2: bar"
items:
type: string
maxItems: 16
type: array
set:
description: "Set overwrites the request with the
given header (name, value) before the action. \n
Input: GET /foo HTTP/1.1 my-header: foo \n Config:
\ set: - name: \"my-header\" value: \"bar\"
\n Output: GET /foo HTTP/1.1 my-header: bar"
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case
insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent
header names, the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST
be ignored. Due to the case-insensitivity
of header names, \"foo\" and \"Foo\" are considered
equivalent."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
description: Value is the value of HTTP Header
to be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
description: "RequestMirror defines a schema for a filter
that mirrors requests. Requests are sent to the specified
destination, but responses from that destination are
ignored. \n Support: Extended"
properties:
backendRef:
description: "BackendRef references a resource where
mirrored requests are sent. \n If the referent cannot
be found, this BackendRef is invalid and must be
dropped from the Gateway. The controller must ensure
the \"ResolvedRefs\" condition on the Route status
is set to `status: False` and not configure this
backend in the underlying implementation. \n If
there is a cross-namespace reference to an *existing*
object that is not allowed by a ReferenceGrant,
the controller must ensure the \"ResolvedRefs\"
\ condition on the Route is set to `status: False`,
with the \"RefNotPermitted\" reason and not configure
this backend in the underlying implementation. \n
In either error case, the Message of the `ResolvedRefs`
Condition should be used to provide more detail
about the problem. \n Support: Extended for Kubernetes
Service \n Support: Custom for any other resource"
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "networking.k8s.io". When unspecified
(empty string), core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For
example "HTTPRoute" or "Service". Defaults to
"Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the
backend. When unspecified, the local namespace
is inferred. \n Note that when a namespace is
specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's
owner to accept the reference. See the ReferenceGrant
documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port
number to use for this resource. Port is required
when the referent is a Kubernetes Service. In
this case, the port number is the service port
number, not the target port. For other resources,
destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
required:
- backendRef
type: object
requestRedirect:
description: "RequestRedirect defines a schema for a filter
that responds to the request with an HTTP redirection.
\n Support: Core"
properties:
hostname:
description: "Hostname is the hostname to be used
in the value of the `Location` header in the response.
When empty, the hostname of the request is used.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines parameters used to modify
the path of the incoming request. The modified path
is then used to construct the `Location` header.
When empty, the request path is used as-is. \n Support:
Extended \n <gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies the value
with which to replace the full path of a request
during a rewrite or redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies the
value with which to replace the prefix match
of a request during a rewrite or redirect. For
example, a request to \"/foo/bar\" with a prefix
match of \"/foo\" would be modified to \"/bar\".
\n Note that this matches the behavior of the
PathPrefix match type. This matches full path
elements. A path element refers to the list
of labels in the path split by the `/` separator.
When specified, a trailing `/` is ignored. For
example, the paths `/abc`, `/abc/`, and `/abc/def`
would all match the prefix `/abc`, but the path
`/abcd` would not. \n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path modifier.
Additional types may be added in a future release
of the API. \n Note that values may be added
to this enum, implementations must ensure that
unknown values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the Route
to `status: False`, with a Reason of `UnsupportedValue`.
\n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
port:
description: "Port is the port to be used in the value
of the `Location` header in the response. When empty,
port (if specified) of the request is used. \n Support:
Extended"
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
description: "Scheme is the scheme to be used in the
value of the `Location` header in the response.
When empty, the scheme of the request is used. \n
Support: Extended \n Note that values may be added
to this enum, implementations must ensure that unknown
values will not cause a crash. \n Unknown values
here must result in the implementation setting the
Attached Condition for the Route to `status: False`,
with a Reason of `UnsupportedValue`."
enum:
- http
- https
type: string
statusCode:
default: 302
description: "StatusCode is the HTTP status code to
be used in response. \n Support: Core \n Note that
values may be added to this enum, implementations
must ensure that unknown values will not cause a
crash. \n Unknown values here must result in the
implementation setting the Attached Condition for
the Route to `status: False`, with a Reason of `UnsupportedValue`."
enum:
- 301
- 302
type: integer
type: object
type:
description: "Type identifies the type of filter to apply.
As with other API fields, types are classified into
three conformance levels: \n - Core: Filter types and
their corresponding configuration defined by \"Support:
Core\" in this package, e.g. \"RequestHeaderModifier\".
All implementations must support core filters. \n
- Extended: Filter types and their corresponding configuration
defined by \"Support: Extended\" in this package,
e.g. \"RequestMirror\". Implementers are encouraged
to support extended filters. \n - Custom: Filters that
are defined and supported by specific vendors. In
the future, filters showing convergence in behavior
across multiple implementations will be considered
for inclusion in extended or core conformance levels.
Filter-specific configuration for such filters is
specified using the ExtensionRef field. `Type` should
be set to \"ExtensionRef\" for custom filters. \n
Implementers are encouraged to define custom implementation
types to extend the core API with implementation-specific
behavior. \n If a reference to a custom filter type
cannot be resolved, the filter MUST NOT be skipped.
Instead, requests that would have been processed by
that filter MUST receive a HTTP error response. \n Note
that values may be added to this enum, implementations
must ensure that unknown values will not cause a crash.
\n Unknown values here must result in the implementation
setting the Attached Condition for the Route to `status:
False`, with a Reason of `UnsupportedValue`. \n "
enum:
- RequestHeaderModifier
- RequestMirror
- RequestRedirect
- URLRewrite
- ExtensionRef
type: string
urlRewrite:
description: "URLRewrite defines a schema for a filter
that modifies a request during forwarding. \n Support:
Extended \n <gateway:experimental>"
properties:
hostname:
description: "Hostname is the value to be used to
replace the Host header value during forwarding.
\n Support: Extended \n <gateway:experimental>"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: "Path defines a path rewrite. \n Support:
Extended \n <gateway:experimental>"
properties:
replaceFullPath:
description: "ReplaceFullPath specifies the value
with which to replace the full path of a request
during a rewrite or redirect. \n <gateway:experimental>"
maxLength: 1024
type: string
replacePrefixMatch:
description: "ReplacePrefixMatch specifies the
value with which to replace the prefix match
of a request during a rewrite or redirect. For
example, a request to \"/foo/bar\" with a prefix
match of \"/foo\" would be modified to \"/bar\".
\n Note that this matches the behavior of the
PathPrefix match type. This matches full path
elements. A path element refers to the list
of labels in the path split by the `/` separator.
When specified, a trailing `/` is ignored. For
example, the paths `/abc`, `/abc/`, and `/abc/def`
would all match the prefix `/abc`, but the path
`/abcd` would not. \n <gateway:experimental>"
maxLength: 1024
type: string
type:
description: "Type defines the type of path modifier.
Additional types may be added in a future release
of the API. \n Note that values may be added
to this enum, implementations must ensure that
unknown values will not cause a crash. \n Unknown
values here must result in the implementation
setting the Attached Condition for the Route
to `status: False`, with a Reason of `UnsupportedValue`.
\n <gateway:experimental>"
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
type: object
required:
- type
type: object
maxItems: 16
type: array
matches:
default:
- path:
type: PathPrefix
value: /
description: "Matches define conditions used for matching the
rule against incoming HTTP requests. Each match is independent,
i.e. this rule will be matched if **any** one of the matches
is satisfied. \n For example, take the following matches configuration:
\n ``` matches: - path: value: \"/foo\" headers: -
name: \"version\" value: \"v2\" - path: value: \"/v2/foo\"
``` \n For a request to match against this rule, a request
must satisfy EITHER of the two conditions: \n - path prefixed
with `/foo` AND contains the header `version: v2` - path prefix
of `/v2/foo` \n See the documentation for HTTPRouteMatch on
how to specify multiple match conditions that should be ANDed
together. \n If no matches are specified, the default is a
prefix path match on \"/\", which has the effect of matching
every HTTP request. \n Proxy or Load Balancer routing configuration
generated from HTTPRoutes MUST prioritize rules based on the
following criteria, continuing on ties. Precedence must be
given to the Rule with the largest number of: \n * Characters
in a matching non-wildcard hostname. * Characters in a matching
hostname. * Characters in a matching path. * Header matches.
* Query param matches. \n If ties still exist across multiple
Routes, matching precedence MUST be determined in order of
the following criteria, continuing on ties: \n * The oldest
Route based on creation timestamp. * The Route appearing first
in alphabetical order by \"{namespace}/{name}\". \n If ties
still exist within the Route that has been given precedence,
matching precedence MUST be granted to the FIRST matching
rule (in list order) meeting the above criteria. \n When no
rules matching a request have been successfully attached to
the parent a request is coming from, a HTTP 404 status code
MUST be returned."
items:
description: "HTTPRouteMatch defines the predicate used to
match requests to a given action. Multiple match types are
ANDed together, i.e. the match will evaluate to true only
if all conditions are satisfied. \n For example, the match
below will match a HTTP request only if its path starts
with `/foo` AND it contains the `version: v1` header: \n
``` match: path: value: \"/foo\" headers: - name:
\"version\" value \"v1\" ```"
properties:
headers:
description: Headers specifies HTTP request header matchers.
Multiple match values are ANDed together, meaning, a
request must match all the specified headers to select
the route.
items:
description: HTTPHeaderMatch describes how to select
a HTTP route by matching HTTP request headers.
properties:
name:
description: "Name is the name of the HTTP Header
to be matched. Name matching MUST be case insensitive.
(See https://tools.ietf.org/html/rfc7230#section-3.2).
\n If multiple entries specify equivalent header
names, only the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent header name MUST be
ignored. Due to the case-insensitivity of header
names, \"foo\" and \"Foo\" are considered equivalent.
\n When a header is repeated in an HTTP request,
it is implementation-specific behavior as to how
this is represented. Generally, proxies should
follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2
regarding processing a repeated header, with special
handling for \"Set-Cookie\"."
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: "Type specifies how to match against
the value of the header. \n Support: Core (Exact)
\n Support: Custom (RegularExpression) \n Since
RegularExpression HeaderMatchType has custom conformance,
implementations can support POSIX, PCRE or any
other dialects of regular expressions. Please
read the implementation's documentation to determine
the supported dialect."
enum:
- Exact
- RegularExpression
type: string
value:
description: Value is the value of HTTP Header to
be matched.
maxLength: 4096
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
method:
description: "Method specifies HTTP method matcher. When
specified, this route will be matched only if the request
has the specified method. \n Support: Extended"
enum:
- GET
- HEAD
- POST
- PUT
- DELETE
- CONNECT
- OPTIONS
- TRACE
- PATCH
type: string
path:
default:
type: PathPrefix
value: /
description: Path specifies a HTTP request path matcher.
If this field is not specified, a default prefix match
on the "/" path is provided.
properties:
type:
default: PathPrefix
description: "Type specifies how to match against
the path Value. \n Support: Core (Exact, PathPrefix)
\n Support: Custom (RegularExpression)"
enum:
- Exact
- PathPrefix
- RegularExpression
type: string
value:
default: /
description: Value of the HTTP path to match against.
maxLength: 1024
type: string
type: object
queryParams:
description: QueryParams specifies HTTP query parameter
matchers. Multiple match values are ANDed together,
meaning, a request must match all the specified query
parameters to select the route.
items:
description: HTTPQueryParamMatch describes how to select
a HTTP route by matching HTTP query parameters.
properties:
name:
description: "Name is the name of the HTTP query
param to be matched. This must be an exact string
match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
\n If multiple entries specify equivalent query
param names, only the first entry with an equivalent
name MUST be considered for a match. Subsequent
entries with an equivalent query param name MUST
be ignored. \n If a query param is repeated in
an HTTP request, the behavior is purposely left
undefined, since different data planes have different
capabilities. However, it's *recommended* that
implementations should match against the first
value of the param if the data plane supports
it, as this behavior is expected in other load
balancing contexts outside of the Gateway API.
Users should not route traffic based on repeated
query params to guard themselves against potential
differences in the implementations."
maxLength: 256
minLength: 1
type: string
type:
default: Exact
description: "Type specifies how to match against
the value of the query parameter. \n Support:
Extended (Exact) \n Support: Custom (RegularExpression)
\n Since RegularExpression QueryParamMatchType
has custom conformance, implementations can support
POSIX, PCRE or any other dialects of regular expressions.
Please read the implementation's documentation
to determine the supported dialect."
enum:
- Exact
- RegularExpression
type: string
value:
description: Value is the value of HTTP query param
to be matched.
maxLength: 1024
minLength: 1
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 16
type: array
services:
items:
description: "BackendObjectReference defines how an ObjectReference
that is specific to BackendRef. It includes a few additional fields
and features than a regular ObjectReference. \n Note that when
a namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n The API object must be valid in the cluster; the Group and
Kind must be registered in the cluster for this reference to be
valid. \n References to objects with invalid Group and Kind are
not valid, and must be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string), core
API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute"
or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a namespace is specified, a ReferenceGrant object is
required in the referent namespace to allow that namespace's
owner to accept the reference. See the ReferenceGrant documentation
for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use
for this resource. Port is required when the referent is a
Kubernetes Service. In this case, the port number is the service
port number, not the target port. For other resources, destination
port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
type: array
type: object
status:
description: Status defines the current state of HTTPRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways)
that are associated with the route, and the status of the route
with respect to each parent. When this route attaches to a parent,
the controller that manages the parent must add an entry to this
list when the controller first sees the route and should update
the entry as appropriate when the route or gateway is modified.
\n Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this
API can only populate Route status for the Gateways/parent resources
they are responsible for. \n A maximum of 32 Gateways will be represented
in this list. An empty list means the route has not been attached
to any Gateway."
items:
description: RouteParentStatus describes the status of a route with
respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with
respect to the Gateway. Note that the route's availability
is also subject to the Gateway's own status conditions and
listener status. \n If the Route's ParentRef specifies an
existing Gateway that supports Routes of this kind AND that
Gateway's controller has sufficient access, then that Gateway's
controller MUST set the \"Accepted\" condition on the Route,
to indicate whether the route has been accepted or rejected
by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
if at least one of the Route's rules is implemented by the
Gateway. \n There are a number of cases where the \"Accepted\"
condition may not be set due to lack of controller visibility,
that includes when: \n * The Route refers to a non-existent
parent. * The Route is of a type that the controller does
not support. * The Route is in a namespace the controller
does not have access to."
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates
the name of the controller that wrote this status. This corresponds
with the controllerName field on GatewayClass. \n Example:
\"example.net/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Controllers MUST populate this field when writing status.
Controllers should ensure that entries to status populated
with their ControllerName are cleaned up when they are no
longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec
that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support:
Core (Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent.
When unspecified, this refers to the local namespace of
the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets.
It can be interpreted differently based on the type of
parent resource. \n When the parent resource is a Gateway,
this targets all listeners listening on the specified
port that also support this kind of Route(and select this
Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
both specified values. \n Implementations MAY choose to
support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
an attachment is considered successful as long as the
parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them
by Route kind, namespace, or hostname. If 1 of 2 Gateway
listeners accept attachment from the referencing Route,
the Route MUST be considered successfully attached. If
no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within
the target resource. In the following resources, SectionName
is interpreted as the following: \n * Gateway: Listener
Name. When both Port (experimental) and SectionName are
specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY
choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName
is interpreted. \n When unspecified (empty string), this
will reference the entire resource. For the purpose of
status, an attachment is considered successful if at least
one section in the parent resource accepts it. For example,
Gateway listeners can restrict which Routes can attach
to them by Route kind, namespace, or hostname. If 1 of
2 Gateway listeners accept attachment from the referencing
Route, the Route MUST be considered successfully attached.
If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: meshes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: Mesh
listKind: MeshList
plural: meshes
singular: mesh
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.controllerName
name: Controller
type: string
- jsonPath: .status.conditions[?(@.type=="Accepted")].status
name: Accepted
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.description
name: Description
priority: 1
type: string
name: v1alpha2
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of MeshSpec.
properties:
controllerName:
description: "GatewayController is the name of a Gateway API controller.
It must be a domain prefixed path. \n Valid values include: \n *
\"example.com/bar\" \n Invalid values include: \n * \"example.com\"
- must include path * \"foo.example.com\" - must include path"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
description:
description: Description helps describe a Mesh with more details.
maxLength: 64
type: string
parametersRef:
description: "ParametersRef is a reference to a resource that contains
the configuration parameters corresponding to the Mesh. This is
optional if the controller does not require any additional configuration.
\n ParametersRef can reference a standard Kubernetes resource, i.e.
ConfigMap, or an implementation-specific custom resource. The resource
can be cluster-scoped or namespace-scoped. \n If the referent cannot
be found, the Mesh's \"InvalidParameters\" status condition will
be true. \n Support: Custom"
properties:
group:
description: Group is the group of the referent.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. This
field is required when referring to a Namespace-scoped resource
and MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- controllerName
type: object
status:
default:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: Status defines the current state of Mesh.
properties:
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
description: "Conditions is the current status from the controller
for this Mesh. \n Controllers should prefer to publish conditions
using values of MeshConditionType for the type of each Condition."
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: referencegrants.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: ReferenceGrant
listKind: ReferenceGrantList
plural: referencegrants
shortNames:
- refgrant
singular: referencegrant
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: "ReferenceGrant identifies kinds of resources in other namespaces
that are trusted to reference the specified kinds of resources in the same
namespace as the policy. \n Each ReferenceGrant can be used to represent
a unique trust relationship. Additional Reference Grants can be used to
add to the set of trusted sources of inbound references for the namespace
they are defined within. \n All cross-namespace references in Gateway API
(with the exception of cross-namespace Gateway-route attachment) require
a ReferenceGrant. \n Support: Core"
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of ReferenceGrant.
properties:
from:
description: "From describes the trusted namespaces and kinds that
can reference the resources described in \"To\". Each entry in this
list must be considered to be an additional place that references
can be valid from, or to put this another way, entries must be combined
using OR. \n Support: Core"
items:
description: ReferenceGrantFrom describes trusted namespaces and
kinds.
properties:
group:
description: "Group is the group of the referent. When empty,
the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations
may support additional resources, the following types are
part of the \"Core\" support level for this field. \n When
used to permit a SecretObjectReference: \n * Gateway \n When
used to permit a BackendObjectReference: \n * HTTPRoute *
TCPRoute * TLSRoute * UDPRoute"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
namespace:
description: "Namespace is the namespace of the referent. \n
Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- namespace
type: object
maxItems: 16
minItems: 1
type: array
to:
description: "To describes the resources that may be referenced by
the resources described in \"From\". Each entry in this list must
be considered to be an additional place that references can be valid
to, or to put this another way, entries must be combined using OR.
\n Support: Core"
items:
description: ReferenceGrantTo describes what Kinds are allowed as
targets of the references.
properties:
group:
description: "Group is the group of the referent. When empty,
the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations
may support additional resources, the following types are
part of the \"Core\" support level for this field: \n * Secret
when used to permit a SecretObjectReference * Service when
used to permit a BackendObjectReference"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent. When unspecified,
this policy refers to all resources of the specified Group
and Kind in the local namespace.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
type: object
maxItems: 16
minItems: 1
type: array
required:
- from
- to
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: referencepolicies.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: ReferencePolicy
listKind: ReferencePolicyList
plural: referencepolicies
shortNames:
- refpol
singular: referencepolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
deprecated: true
deprecationWarning: ReferencePolicy has been renamed to ReferenceGrant. ReferencePolicy
will be removed in v0.6.0 in favor of the identical ReferenceGrant resource.
name: v1alpha2
schema:
openAPIV3Schema:
description: "ReferencePolicy identifies kinds of resources in other namespaces
that are trusted to reference the specified kinds of resources in the same
namespace as the policy. \n Note: This resource has been renamed to ReferenceGrant.
ReferencePolicy will be removed in v0.6.0 in favor of the identical ReferenceGrant
resource. \n Each ReferencePolicy can be used to represent a unique trust
relationship. Additional Reference Policies can be used to add to the set
of trusted sources of inbound references for the namespace they are defined
within. \n All cross-namespace references in Gateway API (with the exception
of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n
Support: Core"
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of ReferencePolicy.
properties:
from:
description: "From describes the trusted namespaces and kinds that
can reference the resources described in \"To\". Each entry in this
list must be considered to be an additional place that references
can be valid from, or to put this another way, entries must be combined
using OR. \n Support: Core"
items:
description: ReferenceGrantFrom describes trusted namespaces and
kinds.
properties:
group:
description: "Group is the group of the referent. When empty,
the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations
may support additional resources, the following types are
part of the \"Core\" support level for this field. \n When
used to permit a SecretObjectReference: \n * Gateway \n When
used to permit a BackendObjectReference: \n * HTTPRoute *
TCPRoute * TLSRoute * UDPRoute"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
namespace:
description: "Namespace is the namespace of the referent. \n
Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- namespace
type: object
maxItems: 16
minItems: 1
type: array
to:
description: "To describes the resources that may be referenced by
the resources described in \"From\". Each entry in this list must
be considered to be an additional place that references can be valid
to, or to put this another way, entries must be combined using OR.
\n Support: Core"
items:
description: ReferenceGrantTo describes what Kinds are allowed as
targets of the references.
properties:
group:
description: "Group is the group of the referent. When empty,
the Kubernetes core API group is inferred. \n Support: Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: "Kind is the kind of the referent. Although implementations
may support additional resources, the following types are
part of the \"Core\" support level for this field: \n * Secret
when used to permit a SecretObjectReference * Service when
used to permit a BackendObjectReference"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent. When unspecified,
this policy refers to all resources of the specified Group
and Kind in the local namespace.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
type: object
maxItems: 16
minItems: 1
type: array
required:
- from
- to
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tcproutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: TCPRoute
listKind: TCPRouteList
plural: tcproutes
singular: tcproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: TCPRoute provides a way to route TCP requests. When combined
with a Gateway listener, it can be used to forward connections on the port
specified by the listener to a set of backends specified by the TCPRoute.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of TCPRoute.
properties:
parentRefs:
description: "ParentRefs references the resources (usually Gateways)
that a Route wants to be attached to. Note that the referenced parent
resource needs to allow this for the attachment to be complete.
For Gateways, that means the Gateway needs to allow attachment from
Routes of this kind and namespace. \n The only kind of parent resource
with \"Core\" support is Gateway. This API may be extended in the
future to support additional kinds of parent resources such as one
of the route kinds. \n It is invalid to reference an identical parent
more than once. It is valid to reference multiple distinct sections
within the same parent resource, such as 2 Listeners within a Gateway.
\n It is possible to separately reference multiple distinct objects
that may be collapsed by an implementation. For example, some implementations
may choose to merge compatible Gateway Listeners together. If that
is the case, the list of routes attached to those resources should
also be merged."
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
a route). The only kind of parent resource with \"Core\" support
is Gateway. This API may be extended in the future to support
additional kinds of parent resources, such as HTTPRoute. \n The
API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core
(Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When
unspecified, this refers to the local namespace of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It
can be interpreted differently based on the type of parent
resource. \n When the parent resource is a Gateway, this targets
all listeners listening on the specified port that also support
this kind of Route(and select this Route). It's not recommended
to set `Port` unless the networking behaviors specified in
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document how/if
Port is interpreted. \n For the purpose of status, an attachment
is considered successful as long as the parent resource accepts
it partially. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the
target resource. In the following resources, SectionName is
interpreted as the following: \n * Gateway: Listener Name.
When both Port (experimental) and SectionName are specified,
the name and port of the selected listener must match both
specified values. \n Implementations MAY choose to support
attaching Routes to other resources. If that is the case,
they MUST clearly document how SectionName is interpreted.
\n When unspecified (empty string), this will reference the
entire resource. For the purpose of status, an attachment
is considered successful if at least one section in the parent
resource accepts it. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
description: Rules are a list of TCP matchers and actions.
items:
description: TCPRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching
requests should be sent. If unspecified or invalid (refers
to a non-existent resource or a Service with no endpoints),
the underlying implementation MUST actively reject connection
attempts to this backend. Connection rejections must respect
weight; if an invalid backend is requested to have 80% of
connections, then 80% of connections must be rejected instead.
\n Support: Core for Kubernetes Service \n Support: Custom
for any other resource \n Support for weight: Extended"
items:
description: "BackendRef defines how a Route should forward
a request to a Kubernetes resource. \n Note that when a
namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner
to accept the reference. See the ReferenceGrant documentation
for details."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string),
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service". Defaults to "Service" when
not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred. \n
Note that when a different namespace is specified, a
ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number
to use for this resource. Port is required when the
referent is a Kubernetes Service. In this case, the
port number is the service port number, not the target
port. For other resources, destination port might be
derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests
forwarded to the referenced backend. This is computed
as weight/(sum of all weights in this BackendRefs list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support for this field varies based
on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
minItems: 1
type: array
type: object
maxItems: 16
minItems: 1
type: array
services:
items:
description: "BackendObjectReference defines how an ObjectReference
that is specific to BackendRef. It includes a few additional fields
and features than a regular ObjectReference. \n Note that when
a namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n The API object must be valid in the cluster; the Group and
Kind must be registered in the cluster for this reference to be
valid. \n References to objects with invalid Group and Kind are
not valid, and must be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string), core
API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute"
or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a different namespace is specified, a ReferenceGrant
object with ReferenceGrantTo.Kind=Service is required in the
referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use
for this resource. Port is required when the referent is a
Kubernetes Service. In this case, the port number is the service
port number, not the target port. For other resources, destination
port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
type: array
required:
- rules
type: object
status:
description: Status defines the current state of TCPRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways)
that are associated with the route, and the status of the route
with respect to each parent. When this route attaches to a parent,
the controller that manages the parent must add an entry to this
list when the controller first sees the route and should update
the entry as appropriate when the route or gateway is modified.
\n Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this
API can only populate Route status for the Gateways/parent resources
they are responsible for. \n A maximum of 32 Gateways will be represented
in this list. An empty list means the route has not been attached
to any Gateway."
items:
description: RouteParentStatus describes the status of a route with
respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with
respect to the Gateway. Note that the route's availability
is also subject to the Gateway's own status conditions and
listener status. \n If the Route's ParentRef specifies an
existing Gateway that supports Routes of this kind AND that
Gateway's controller has sufficient access, then that Gateway's
controller MUST set the \"Accepted\" condition on the Route,
to indicate whether the route has been accepted or rejected
by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
if at least one of the Route's rules is implemented by the
Gateway. \n There are a number of cases where the \"Accepted\"
condition may not be set due to lack of controller visibility,
that includes when: \n * The Route refers to a non-existent
parent. * The Route is of a type that the controller does
not support. * The Route is in a namespace the controller
does not have access to."
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates
the name of the controller that wrote this status. This corresponds
with the controllerName field on GatewayClass. \n Example:
\"example.net/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Controllers MUST populate this field when writing status.
Controllers should ensure that entries to status populated
with their ControllerName are cleaned up when they are no
longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec
that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support:
Core (Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent.
When unspecified, this refers to the local namespace of
the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets.
It can be interpreted differently based on the type of
parent resource. \n When the parent resource is a Gateway,
this targets all listeners listening on the specified
port that also support this kind of Route(and select this
Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
both specified values. \n Implementations MAY choose to
support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
an attachment is considered successful as long as the
parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them
by Route kind, namespace, or hostname. If 1 of 2 Gateway
listeners accept attachment from the referencing Route,
the Route MUST be considered successfully attached. If
no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within
the target resource. In the following resources, SectionName
is interpreted as the following: \n * Gateway: Listener
Name. When both Port (experimental) and SectionName are
specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY
choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName
is interpreted. \n When unspecified (empty string), this
will reference the entire resource. For the purpose of
status, an attachment is considered successful if at least
one section in the parent resource accepts it. For example,
Gateway listeners can restrict which Routes can attach
to them by Route kind, namespace, or hostname. If 1 of
2 Gateway listeners accept attachment from the referencing
Route, the Route MUST be considered successfully attached.
If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tlsroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: TLSRoute
listKind: TLSRouteList
plural: tlsroutes
singular: tlsroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: "The TLSRoute resource is similar to TCPRoute, but can be configured
to match against TLS-specific metadata. This allows more flexibility in
matching streams for a given TLS listener. \n If you need to forward traffic
to a single target for a TLS listener, you could choose to use a TCPRoute
with a TLS listener."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of TLSRoute.
properties:
hostnames:
description: "Hostnames defines a set of SNI names that should match
against the SNI attribute of TLS ClientHello message in TLS handshake.
This matches the RFC 1123 definition of a hostname with 2 notable
exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066.
2. A hostname may be prefixed with a wildcard label (`*.`). The
wildcard label must appear by itself as the first label. \n If
a hostname is specified by both the Listener and TLSRoute, there
must be at least one intersecting hostname for the TLSRoute to be
attached to the Listener. For example: \n * A Listener with `test.example.com`
as the hostname matches TLSRoutes that have either not specified
any hostnames, or have specified at least one of `test.example.com`
or `*.example.com`. * A Listener with `*.example.com` as the hostname
matches TLSRoutes that have either not specified any hostnames
or have specified at least one hostname that matches the Listener
hostname. For example, `test.example.com` and `*.example.com`
would both match. On the other hand, `example.com` and `test.example.net`
would not match. \n If both the Listener and TLSRoute have specified
hostnames, any TLSRoute hostnames that do not match the Listener
hostname MUST be ignored. For example, if a Listener specified `*.example.com`,
and the TLSRoute specified `test.example.com` and `test.example.net`,
`test.example.net` must not be considered for a match. \n If both
the Listener and TLSRoute have specified hostnames, and none match
with the criteria above, then the TLSRoute is not accepted. The
implementation must raise an 'Accepted' Condition with a status
of `False` in the corresponding RouteParentStatus. \n Support: Core"
items:
description: "Hostname is the fully qualified domain name of a network
host. This matches the RFC 1123 definition of a hostname with
2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
may be prefixed with a wildcard label (`*.`). The wildcard label
must appear by itself as the first label. \n Hostname can be \"precise\"
which is a domain name without the terminating dot of a network
host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
name prefixed with a single wildcard label (e.g. `*.example.com`).
\n Note that as per RFC1035 and RFC1123, a *label* must consist
of lower case alphanumeric characters or '-', and must start and
end with an alphanumeric character. No other punctuation is allowed."
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
type: array
parentRefs:
description: "ParentRefs references the resources (usually Gateways)
that a Route wants to be attached to. Note that the referenced parent
resource needs to allow this for the attachment to be complete.
For Gateways, that means the Gateway needs to allow attachment from
Routes of this kind and namespace. \n The only kind of parent resource
with \"Core\" support is Gateway. This API may be extended in the
future to support additional kinds of parent resources such as one
of the route kinds. \n It is invalid to reference an identical parent
more than once. It is valid to reference multiple distinct sections
within the same parent resource, such as 2 Listeners within a Gateway.
\n It is possible to separately reference multiple distinct objects
that may be collapsed by an implementation. For example, some implementations
may choose to merge compatible Gateway Listeners together. If that
is the case, the list of routes attached to those resources should
also be merged."
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
a route). The only kind of parent resource with \"Core\" support
is Gateway. This API may be extended in the future to support
additional kinds of parent resources, such as HTTPRoute. \n The
API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core
(Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When
unspecified, this refers to the local namespace of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It
can be interpreted differently based on the type of parent
resource. \n When the parent resource is a Gateway, this targets
all listeners listening on the specified port that also support
this kind of Route(and select this Route). It's not recommended
to set `Port` unless the networking behaviors specified in
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document how/if
Port is interpreted. \n For the purpose of status, an attachment
is considered successful as long as the parent resource accepts
it partially. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the
target resource. In the following resources, SectionName is
interpreted as the following: \n * Gateway: Listener Name.
When both Port (experimental) and SectionName are specified,
the name and port of the selected listener must match both
specified values. \n Implementations MAY choose to support
attaching Routes to other resources. If that is the case,
they MUST clearly document how SectionName is interpreted.
\n When unspecified (empty string), this will reference the
entire resource. For the purpose of status, an attachment
is considered successful if at least one section in the parent
resource accepts it. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
description: Rules are a list of TLS matchers and actions.
items:
description: TLSRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching
requests should be sent. If unspecified or invalid (refers
to a non-existent resource or a Service with no endpoints),
the rule performs no forwarding; if no filters are specified
that would result in a response being sent, the underlying
implementation must actively reject request attempts to this
backend, by rejecting the connection or returning a 500 status
code. Request rejections must respect weight; if an invalid
backend is requested to have 80% of requests, then 80% of
requests must be rejected instead. \n Support: Core for Kubernetes
Service \n Support: Custom for any other resource \n Support
for weight: Extended"
items:
description: "BackendRef defines how a Route should forward
a request to a Kubernetes resource. \n Note that when a
namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner
to accept the reference. See the ReferenceGrant documentation
for details."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string),
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service". Defaults to "Service" when
not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred. \n
Note that when a different namespace is specified, a
ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number
to use for this resource. Port is required when the
referent is a Kubernetes Service. In this case, the
port number is the service port number, not the target
port. For other resources, destination port might be
derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests
forwarded to the referenced backend. This is computed
as weight/(sum of all weights in this BackendRefs list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support for this field varies based
on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
minItems: 1
type: array
type: object
maxItems: 16
minItems: 1
type: array
services:
items:
description: "BackendObjectReference defines how an ObjectReference
that is specific to BackendRef. It includes a few additional fields
and features than a regular ObjectReference. \n Note that when
a namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n The API object must be valid in the cluster; the Group and
Kind must be registered in the cluster for this reference to be
valid. \n References to objects with invalid Group and Kind are
not valid, and must be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string), core
API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute"
or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a different namespace is specified, a ReferenceGrant
object with ReferenceGrantTo.Kind=Service is required in the
referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use
for this resource. Port is required when the referent is a
Kubernetes Service. In this case, the port number is the service
port number, not the target port. For other resources, destination
port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
type: array
required:
- rules
type: object
status:
description: Status defines the current state of TLSRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways)
that are associated with the route, and the status of the route
with respect to each parent. When this route attaches to a parent,
the controller that manages the parent must add an entry to this
list when the controller first sees the route and should update
the entry as appropriate when the route or gateway is modified.
\n Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this
API can only populate Route status for the Gateways/parent resources
they are responsible for. \n A maximum of 32 Gateways will be represented
in this list. An empty list means the route has not been attached
to any Gateway."
items:
description: RouteParentStatus describes the status of a route with
respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with
respect to the Gateway. Note that the route's availability
is also subject to the Gateway's own status conditions and
listener status. \n If the Route's ParentRef specifies an
existing Gateway that supports Routes of this kind AND that
Gateway's controller has sufficient access, then that Gateway's
controller MUST set the \"Accepted\" condition on the Route,
to indicate whether the route has been accepted or rejected
by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
if at least one of the Route's rules is implemented by the
Gateway. \n There are a number of cases where the \"Accepted\"
condition may not be set due to lack of controller visibility,
that includes when: \n * The Route refers to a non-existent
parent. * The Route is of a type that the controller does
not support. * The Route is in a namespace the controller
does not have access to."
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates
the name of the controller that wrote this status. This corresponds
with the controllerName field on GatewayClass. \n Example:
\"example.net/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Controllers MUST populate this field when writing status.
Controllers should ensure that entries to status populated
with their ControllerName are cleaned up when they are no
longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec
that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support:
Core (Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent.
When unspecified, this refers to the local namespace of
the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets.
It can be interpreted differently based on the type of
parent resource. \n When the parent resource is a Gateway,
this targets all listeners listening on the specified
port that also support this kind of Route(and select this
Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
both specified values. \n Implementations MAY choose to
support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
an attachment is considered successful as long as the
parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them
by Route kind, namespace, or hostname. If 1 of 2 Gateway
listeners accept attachment from the referencing Route,
the Route MUST be considered successfully attached. If
no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within
the target resource. In the following resources, SectionName
is interpreted as the following: \n * Gateway: Listener
Name. When both Port (experimental) and SectionName are
specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY
choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName
is interpreted. \n When unspecified (empty string), this
will reference the entire resource. For the purpose of
status, an attachment is considered successful if at least
one section in the parent resource accepts it. For example,
Gateway listeners can restrict which Routes can attach
to them by Route kind, namespace, or hostname. If 1 of
2 Gateway listeners accept attachment from the referencing
Route, the Route MUST be considered successfully attached.
If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1086
gateway.networking.k8s.io/bundle-version: v0.6.0-dev
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: udproutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: UDPRoute
listKind: UDPRouteList
plural: udproutes
singular: udproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: UDPRoute provides a way to route UDP traffic. When combined with
a Gateway listener, it can be used to forward traffic on the port specified
by the listener to a set of backends specified by the UDPRoute.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of UDPRoute.
properties:
parentRefs:
description: "ParentRefs references the resources (usually Gateways)
that a Route wants to be attached to. Note that the referenced parent
resource needs to allow this for the attachment to be complete.
For Gateways, that means the Gateway needs to allow attachment from
Routes of this kind and namespace. \n The only kind of parent resource
with \"Core\" support is Gateway. This API may be extended in the
future to support additional kinds of parent resources such as one
of the route kinds. \n It is invalid to reference an identical parent
more than once. It is valid to reference multiple distinct sections
within the same parent resource, such as 2 Listeners within a Gateway.
\n It is possible to separately reference multiple distinct objects
that may be collapsed by an implementation. For example, some implementations
may choose to merge compatible Gateway Listeners together. If that
is the case, the list of routes attached to those resources should
also be merged."
items:
description: "ParentReference identifies an API object (usually
a Gateway) that can be considered a parent of this resource (usually
a route). The only kind of parent resource with \"Core\" support
is Gateway. This API may be extended in the future to support
additional kinds of parent resources, such as HTTPRoute. \n The
API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid."
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support: Core
(Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent. When
unspecified, this refers to the local namespace of the Route.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets. It
can be interpreted differently based on the type of parent
resource. \n When the parent resource is a Gateway, this targets
all listeners listening on the specified port that also support
this kind of Route(and select this Route). It's not recommended
to set `Port` unless the networking behaviors specified in
a Route must apply to a specific port as opposed to a listener(s)
whose port(s) may be changed. When both Port and SectionName
are specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY choose
to support other parent resources. Implementations supporting
other types of parent resources MUST clearly document how/if
Port is interpreted. \n For the purpose of status, an attachment
is considered successful as long as the parent resource accepts
it partially. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within the
target resource. In the following resources, SectionName is
interpreted as the following: \n * Gateway: Listener Name.
When both Port (experimental) and SectionName are specified,
the name and port of the selected listener must match both
specified values. \n Implementations MAY choose to support
attaching Routes to other resources. If that is the case,
they MUST clearly document how SectionName is interpreted.
\n When unspecified (empty string), this will reference the
entire resource. For the purpose of status, an attachment
is considered successful if at least one section in the parent
resource accepts it. For example, Gateway listeners can restrict
which Routes can attach to them by Route kind, namespace,
or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this
Route, the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
maxItems: 32
type: array
rules:
description: Rules are a list of UDP matchers and actions.
items:
description: UDPRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: "BackendRefs defines the backend(s) where matching
requests should be sent. If unspecified or invalid (refers
to a non-existent resource or a Service with no endpoints),
the underlying implementation MUST actively reject connection
attempts to this backend. Packet drops must respect weight;
if an invalid backend is requested to have 80% of the packets,
then 80% of packets must be dropped instead. \n Support: Core
for Kubernetes Service Support: Custom for any other resource
\n Support for weight: Extended"
items:
description: "BackendRef defines how a Route should forward
a request to a Kubernetes resource. \n Note that when a
namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner
to accept the reference. See the ReferenceGrant documentation
for details."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string),
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example
"HTTPRoute" or "Service". Defaults to "Service" when
not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend.
When unspecified, the local namespace is inferred. \n
Note that when a different namespace is specified, a
ReferenceGrant object with ReferenceGrantTo.Kind=Service
is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number
to use for this resource. Port is required when the
referent is a Kubernetes Service. In this case, the
port number is the service port number, not the target
port. For other resources, destination port might be
derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
description: "Weight specifies the proportion of requests
forwarded to the referenced backend. This is computed
as weight/(sum of all weights in this BackendRefs list).
For non-zero values, there may be some epsilon from
the exact proportion defined here depending on the precision
an implementation supports. Weight is not a percentage
and the sum of weights does not need to equal 100. \n
If only one backend is specified and it has a weight
greater than 0, 100% of the traffic is forwarded to
that backend. If weight is set to 0, no traffic should
be forwarded for this entry. If unspecified, weight
defaults to 1. \n Support for this field varies based
on the context where used."
format: int32
maximum: 1000000
minimum: 0
type: integer
required:
- name
type: object
maxItems: 16
minItems: 1
type: array
type: object
maxItems: 16
minItems: 1
type: array
services:
items:
description: "BackendObjectReference defines how an ObjectReference
that is specific to BackendRef. It includes a few additional fields
and features than a regular ObjectReference. \n Note that when
a namespace is specified, a ReferenceGrant object is required
in the referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n The API object must be valid in the cluster; the Group and
Kind must be registered in the cluster for this reference to be
valid. \n References to objects with invalid Group and Kind are
not valid, and must be rejected by the implementation, with appropriate
Conditions set on the containing object."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"networking.k8s.io". When unspecified (empty string), core
API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: Kind is kind of the referent. For example "HTTPRoute"
or "Service". Defaults to "Service" when not specified.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a different namespace is specified, a ReferenceGrant
object with ReferenceGrantTo.Kind=Service is required in the
referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for details.
\n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port specifies the destination port number to use
for this resource. Port is required when the referent is a
Kubernetes Service. In this case, the port number is the service
port number, not the target port. For other resources, destination
port might be derived from the referent resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
type: object
type: array
required:
- rules
type: object
status:
description: Status defines the current state of UDPRoute.
properties:
parents:
description: "Parents is a list of parent resources (usually Gateways)
that are associated with the route, and the status of the route
with respect to each parent. When this route attaches to a parent,
the controller that manages the parent must add an entry to this
list when the controller first sees the route and should update
the entry as appropriate when the route or gateway is modified.
\n Note that parent references that cannot be resolved by an implementation
of this API will not be added to this list. Implementations of this
API can only populate Route status for the Gateways/parent resources
they are responsible for. \n A maximum of 32 Gateways will be represented
in this list. An empty list means the route has not been attached
to any Gateway."
items:
description: RouteParentStatus describes the status of a route with
respect to an associated Parent.
properties:
conditions:
description: "Conditions describes the status of the route with
respect to the Gateway. Note that the route's availability
is also subject to the Gateway's own status conditions and
listener status. \n If the Route's ParentRef specifies an
existing Gateway that supports Routes of this kind AND that
Gateway's controller has sufficient access, then that Gateway's
controller MUST set the \"Accepted\" condition on the Route,
to indicate whether the route has been accepted or rejected
by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
if at least one of the Route's rules is implemented by the
Gateway. \n There are a number of cases where the \"Accepted\"
condition may not be set due to lack of controller visibility,
that includes when: \n * The Route refers to a non-existent
parent. * The Route is of a type that the controller does
not support. * The Route is in a namespace the controller
does not have access to."
items:
description: "Condition contains details for one aspect of
the current state of this API Resource. --- This struct
is intended for direct use as an array at the field path
.status.conditions. For example, type FooStatus struct{
\ // Represents the observations of a foo's current state.
\ // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map //
+listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should
be when the underlying condition changed. If that is
not known, then using the time when the API field changed
is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance,
if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the
current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last transition.
Producers of specific condition types may define expected
values and meanings for this field, and whether the
values are considered a guaranteed API. The value should
be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across
resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability
to deconflict is important. The regex it matches is
(dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: "ControllerName is a domain/path string that indicates
the name of the controller that wrote this status. This corresponds
with the controllerName field on GatewayClass. \n Example:
\"example.net/gateway-controller\". \n The format of this
field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
\n Controllers MUST populate this field when writing status.
Controllers should ensure that entries to status populated
with their ControllerName are cleaned up when they are no
longer necessary."
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
description: ParentRef corresponds with a ParentRef in the spec
that this RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: "Group is the group of the referent. \n Support:
Core"
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: "Kind is kind of the referent. \n Support:
Core (Gateway) \n Support: Custom (Other Resources)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: "Name is the name of the referent. \n Support:
Core"
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referent.
When unspecified, this refers to the local namespace of
the Route. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: "Port is the network port this Route targets.
It can be interpreted differently based on the type of
parent resource. \n When the parent resource is a Gateway,
this targets all listeners listening on the specified
port that also support this kind of Route(and select this
Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to
a specific port as opposed to a listener(s) whose port(s)
may be changed. When both Port and SectionName are specified,
the name and port of the selected listener must match
both specified values. \n Implementations MAY choose to
support other parent resources. Implementations supporting
other types of parent resources MUST clearly document
how/if Port is interpreted. \n For the purpose of status,
an attachment is considered successful as long as the
parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them
by Route kind, namespace, or hostname. If 1 of 2 Gateway
listeners accept attachment from the referencing Route,
the Route MUST be considered successfully attached. If
no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Extended \n <gateway:experimental>"
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: "SectionName is the name of a section within
the target resource. In the following resources, SectionName
is interpreted as the following: \n * Gateway: Listener
Name. When both Port (experimental) and SectionName are
specified, the name and port of the selected listener
must match both specified values. \n Implementations MAY
choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName
is interpreted. \n When unspecified (empty string), this
will reference the entire resource. For the purpose of
status, an attachment is considered successful if at least
one section in the parent resource accepts it. For example,
Gateway listeners can restrict which Routes can attach
to them by Route kind, namespace, or hostname. If 1 of
2 Gateway listeners accept attachment from the referencing
Route, the Route MUST be considered successfully attached.
If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
\n Support: Core"
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
required:
- controllerName
- parentRef
type: object
maxItems: 32
type: array
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
Raw
demo.yaml
apiVersion: v1
kind: Namespace
metadata:
name: default
labels:
istio-injection: enabled
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-v1
labels:
app: echo
spec:
selector:
matchLabels:
app: echo
version: v1
template:
metadata:
labels:
app: echo
version: v1
spec:
containers:
- name: echo
image: gcr.io/istio-testing/app:latest
imagePullPolicy: IfNotPresent
args:
- --port=80
---
apiVersion: v1
kind: Service
metadata:
name: echo-v1
spec:
selector:
app: echo
version: v1
ports:
- name: http
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-v2
labels:
app: echo
spec:
selector:
matchLabels:
app: echo
version: v2
template:
metadata:
labels:
app: echo
version: v2
spec:
containers:
- name: echo
image: gcr.io/istio-testing/app:latest
imagePullPolicy: IfNotPresent
args:
- --port=80
---
apiVersion: v1
kind: Service
metadata:
name: echo-v2
spec:
selector:
app: echo
version: v2
ports:
- name: http
port: 80
- name: https
port: 443
- name: tcp
port: 9090
- name: tcp-sf
port: 9091
- name: grpc
port: 7070
---
apiVersion: v1
kind: Service
metadata:
name: echo
spec:
selector:
app: echo
ports:
- name: http
port: 80
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: echo-canary
namespace: default
spec:
parentRefs:
- kind: Mesh
name: istio
services:
- name: echo
rules:
- backendRefs:
- name: echo-v1
port: 80
weight: 4
- name: echo-v2
port: 80
weight: 1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: shell
spec:
selector:
matchLabels:
app: shell
template:
metadata:
labels:
app: shell
spec:
terminationGracePeriodSeconds: 0
containers:
- name: shell
image: howardjohn/shell
imagePullPolicy: IfNotPresent
args:
- /bin/sleep
- infinity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment